The android.content.pm.PackageInstaller install + uninstall APIs are
fully functional. No need to try to keep the intent based APIs
feature compatible.
In the future we will be able to restrict app targeting old targetSDK
levels from using the intent-based API. Even further in the future we
can radically simplify the package installer app.
Fixes: 116616700
Test: Built
Change-Id: Ia225d70fbee3fa31a3c1de388dcb05ff1063dccd
This fix also refactors PackageParser.SigningDetails to move the
pastSigningCertificatesFlags to be a data member of Signature; this
allows the capabilities of a previous signing certificate to be
accessed directly from the Signature object as opposed to relying
on the 1-1 mapping of the past certs and flags in the SigningDetails.
Fixes: 73927696
Fixes: 73925989
Test: adb shell am instrument -w -e class com.android.server.pm.PackageSignaturesTest \
com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: I635f2d2209350d066d1fa2ef07460071da0c023e
Add the relevant methods to read from ProtoInputStream to
various classes.
Also add some framework to handle version changes in
UsageStatsDatabase. There is some risk of users losing all their current
UsageStats data, if something goes horribly wrong. The debug flag and a
keep backup files flag are temporarily set in UsageStatsDatabase with
this change. They will both be unset in the future before the Q release.
Some rough number on the impact of this change:
Proto file size on disk reduces to ~47% of XML file size :)
Proto file read time reduces to ~55% of XML file read :)
Proto file write time increases ~17% over the XML file write :(
There will be a follow up CL to address the file write time regression
Bug: 111422946
Fixes: 111449927
Test: atest UsageStatsDatabaseTest
Change-Id: I084aea796ed2163c42947d52396a36cc7c5562a2
An application can declare that it must be installed with at least
one split using the manifest attribute "android:isSplitRequired".
Setting the attribute to 'true' [default is 'false'], the application
can't be installed with a base-only. It must be accompanied by at
least one split [either feature or config].
Change-Id: I42804af34a4209ba5d6726d681ca705ca2c21a39
Fixes: 111391719
Test: atest CtsAppSecurityHostTestCases:SplitTests
The Permission Controller app (a mainline module) needs to be able to
read the SPLIT_PERMISSIONS. Hence this array needs to be exposed at
least as system-api. We need to make sure that the PackageParser,
PackageManager and Permission Controller app agree on which permissions
are split, hence it is best to define them at a single location.
I think exposing the split permissions to developers is useless and
potentially confusing. The app should never request a permission that
was split. The app should just behave as if split permissions do not
exist. The Permission Controller / Package Manager deal with the
split permissions and add them when needed. Hence I don't think we
should expose this data to 3rd parties.
Bug: 110953302
Test: requested permissions
Change-Id: I6951c52979c89ee5c13a4a14da125e1a01f2e234
The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.
This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths. Consider this example:
<path-permission android:pathPrefix="/private" ... />
uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);
content://com.example//private
The Uri above will pass the security check, since it's not
technically a prefix match. But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.
Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.
Bug: 112555574
Test: atest android.appsecurity.cts.AppSecurityTests
Test: atest FrameworksCoreTests:android.content.ContentProviderTest
Change-Id: Ibadbfa4fc904ec54780c8102958735b03293fb9a
Fixes: 112570477
Test: BiometricPromptDemo works
Test: Able to get/use BiometricManager
Test: Tested with enrolled and non-enrolled biometrics
Change-Id: I26231894eccc87c42b5b3007aa0b7c6f09830452
This is in preparation for BiometricManager. Each Manager should have its
own Service.
Bug: 112570477
Test: BiometricPromptDemo works
Change-Id: Ibbbd499a0fd5a2050b329ee038776c6c9f49cdb2
This reverts commit fa894222e6.
Reason for revert: Resubmitting in a topic with the fix for the bug that required the revert
Change-Id: Ia70f966c8757f340ceb14f187e9726c12457403a
If an app was in the TOP state and immediately moved
to a foreground service state, then try harder to keep it
in memory for another 20 seconds before releasing the
memory to bound foreground services. Using an oom_adj value
of 50 which is between "fore" and "vis". So BFGS apps might
get killed ("vis") before this recently FGS'ed app. That
way any app that has a lot of state in memory that it needs
to persist before getting killed has a chance to do so.
Also bind NotificationListeners with a special bind flag
to rank them below FGS (perceptible adj) so that they
can be killed before any other foreground services or
bound services get killed.
Bug: 110969183
Test: Manual for now. Take a bunch of portrait
pictures and hit home, while being under memory
pressure with a bunch of notification listeners.
Change-Id: Ie8934c2331afe6450c582b209869aeca7272f58a
Based on some analysis, these fields/methods are likely false positives.
Set maxTargetSdk=P so that any apps using them are required to migrate off
them in future. See the bug for more details.
Exempted-From-Owner-Approval: Automatic changes to the codebase
affecting only @UnsupportedAppUsage annotations, themselves added
without requiring owners approval earlier.
Bug: 115609023
Test: m
Change-Id: I719b5c94e5b1f4fa562dd5d655953422958ad37e
