Introduce a new range of app-zygote isolated UIDs, [90000..98999].
For each app that uses an application Zygote, allocate a range of
100 isolated UIDs. The application Zygote for an app will get a
UID out of that range, and all other children that are forked
from that zygote will get a UID from the same range.
Bug: 111434506
Test: app Zygote and its children run in the new range of
isolated UIDs (with SELinux disabled). New set of
tests for UID allocators pass.
Change-Id: I7a6883a5ddb95683932c93ea77f4e52d8f37fa4f
When an application has requested isolated services to be spawned
from an app zygote, we need to spawn the app zygote itself, and then
ask it to fork an isolated service.
The application zygote currently only creates the class loader, and
doesn't do much else. We keep track of the isolated services that
use the app zygote, and when the last isolated service goes away,
we stop the app zygote itself (after a timeout).
The app zygote itself runs with the app's UID and under the app
seccomp filter. That last one is too restricted, so this currently
only works with SELinux disabled.
Future CLs will add an application callback for preloading.
Test: start multiple isolated services with useAppZygote="true",
verify app_zygote starts, services start as a child of
app_zygote. Stopping all services stops app_zygote as well.
Bug: 111434506
Change-Id: I10ee1d4bd148c9298974d434fbc5e5eccbec16cb
The new isolated storage model we're building in Q introduces new
strongly-typed media permissions which replace the broad "Storage"
runtime permission.
That legacy "Storage" permission is marked as being "removed", and
it also splits into the new media permissions, but apps are confused
when they request the "Storage" permission, which no longer appears
as granted when the user accepts the new split media permissions.
After discussing with the permissions team, the best short-term
solution is to add special-case logic that grants the legacy
permissions when *any* of the new media permissions have also been
granted. Only when the user revokes *all* of the new media
permissions is the legacy permission then revoked. (MediaProvider
is already internally filtering the relevant content based on what
new media permissions the caller holds.)
Bug: 121227859
Test: manual
Change-Id: Ic87f7f93a816e91f7189509386255a260378c255
Error code 51 is given when trying to downgrade a device, so this is
required to fix our broken CTS test and give an accurate error code to
the admin.
Change-Id: I436fb7a605dc47dc5388c78c67d7db08ffcf867a
Fixes: 120896091
Test: atest CtsDevicePolicyManagerTestCases:com.android.cts.devicepolicy.DeviceOwnerTest#testInstallUpdate
Allowing customized whitelist filename could result in inconsistency and
fragmentations in toolings.
BUG: 120870520
Test: Build, flash and boot
Change-Id: Ibe9337b358b6a67600048f1661d73574d7bea607
We have rebranded this project to Game Update Package, and GUP for short.
BUG: 119221883
Test: Build, flash and boot. Verify by going to developer options.
Change-Id: If284bd3e0b29cb025833be29fa33179011c151d7
If a session is marked as isStaged, write the package files directly on
a directory named /data/staging/session_${SESSION_ID}, instead of the
/data/app temporary directory. This allows us to set different SELinux
policy (e.g. allowing apexd to read that directory), and to persist the
data across reboots without altering the existing code.
To ensure we cover existing workflows, in this CL we try as much as
possible to re-use existing code to create staging directories and wire
data into them.
Bug: 118865310
Test: Verified that adb install --staged file.apk successfully creates a
/data/staging/session_SESSION_ID/base.apk file. If --apex is passed, the
file is named base.apex.
Change-Id: Iacfd7cfb90b738eeb752fec3e6a4e38ea307259a
Members modified herein are suspected to be false positives: i.e. things
that were added to the greylist in P, but subsequent data analysis
suggests that they are not, in fact, used after all.
Add a maxTargetSdk=P to these APIs. This is lower-risk that simply
removing these things from the greylist, as none of out data sources are
perfect nor complete.
For APIs that are not supported yet by annotations, move them to
hiddenapi-greylist-max-p.txt instead which has the same effect.
Exempted-From-Owner-Approval: Automatic changes to the codebase
affecting only @UnsupportedAppUsage annotations, themselves added
without requiring owners approval earlier.
Bug: 115609023
Test: m
Change-Id: Ia937d8c41512e7f1b6e7f67b9104c1878b5cc3a0
Merged-In: I020a9c09672ebcae64c5357abc4993e07e744687
Members modified herein are suspected to be false positives: i.e. things
that were added to the greylist in P, but subsequent data analysis
suggests that they are not, in fact, used after all.
Add a maxTargetSdk=P to these APIs. This is lower-risk that simply
removing these things from the greylist, as none of out data sources are
perfect nor complete.
For APIs that are not supported yet by annotations, move them to
hiddenapi-greylist-max-p.txt instead which has the same effect.
Exempted-From-Owner-Approval: Automatic changes to the codebase
affecting only @UnsupportedAppUsage annotations, themselves added
without requiring owners approval earlier.
Bug: 115609023
Test: m
Change-Id: I020a9c09672ebcae64c5357abc4993e07e744687
The app is not started yet, and does not contain any service for now.
Test: built, booted
Bug: b/112869080
Change-Id: Id5a0fd02c891100e85d86b1040e53beec3581950
The GraphicsEnvironment/GraphicsEnv code is being refactored to allow
for better resource management related to open files and file
descriptors and reducing the amount of times the rules files are parsed.
This is also laying the groundwork for other modules to query if ANGLE
will be loaded or not, for example to display a dialog box to the user
when ANGLE is selected for an app.
Bug: 120910315
Test: Verify CtsAngleIntegrationHostTestCases passes.
Change-Id: Iedd4e8cd3c79c6656bc824def228213f76ef9849
For apps which target Q or above, add the O_CLOEXEC flags to
ParcelFileDescriptors.
O_CLOEXEC is essential for ensuring that file descriptors do not leak
across an exec() boundary. Setting O_CLOEXEC ensures that file
descriptors can't linger around unnecessarily in an exec()ed process
which doesn't use them, making more efficient use of resources.
Additionally, O_CLOEXEC is important in ensuring that untrusted
exec()ed code cannot take advantage of leaked file descriptors.
Test: Android compiles and boots
Bug: 120983106
Change-Id: Idb3eb8f0e43968396a3b3a8bddc26a8d94c55bde
The currently requested feature flag value may lag behind what's
actually active for the current boot, so take a snapshot of the value
that's being used for the current boot.
Bug: 121195267
Test: manual
Change-Id: I969f1d9d385e7610b366df41d2c7728a596d114c
Don't use Os.dup(), as it creates file handles which leak across exec()
boundaries. Instead, use fcntl(F_DUPFD_CLOEXEC);
O_CLOEXEC is essential for ensuring that file descriptors do not leak
across an exec() boundary. Setting O_CLOEXEC ensures that file
descriptors can't linger around unnecessarily in an exec()ed process
which doesn't use them, making more efficient use of resources.
Additionally, O_CLOEXEC is important in ensuring that untrusted
exec()ed code cannot take advantage of leaked file descriptors.
Test: Android compiles and boots
Bug: 120983106
Change-Id: I99a66834cc6b9bb25e1b4daf75384ec6a91ae9e2
O_RDONLY, O_WRONLY, and O_RDWR are not flags. Rather, they are the
integer values 0, 1, and 2, respectively.
#define O_RDONLY 00000000
#define O_WRONLY 00000001
#define O_RDWR 00000002
Quoting "man 2 open"
* File access mode *
Unlike the other values that can be specified in flags,
the access mode values O_RDONLY, O_WRONLY, and O_RDWR do not
specify individual bits. Rather, they define the low order
two bits of flags, and are defined respectively as 0, 1, and
2. In other words, the combination O_RDONLY | O_WRONLY is a
logical error, and certainly does not have the same meaning
as O_RDWR.
Linux reserves the special, nonstandard access mode 3
(binary 11) in flags to mean: check for read and write
permission on the file and return a file descriptor that
can't be used for reading or writing. This nonstandard access
mode is used by some Linux drivers to return a file
descriptor that is to be used only for device-specific
ioctl(2) operations.
Rather than treat these values like flags, use O_ACCMODE to extract the
values and then perform the comparisons.
Introduced in 63280e06fc.
Test: android compiles and boots.
Change-Id: I4d3185e835615ffba3a7854d3d58351e124599d0
In order to support multiple ANGLE builds (Google-signed,
AOSP unsigned, OEM-signed), we will use intent-filter to
indicate that ANGLE is installed. During CTS testing,
we will verify that only a single ANGLE is installed and
provides the necessary functionality.
Bug: 120487920
Test: Verify ANGLE CTS hostside tests pass.
Change-Id: If3491475e776e26b3656c377d2b28c0c8bb66da2
Moving forward as we start enabling isolated storage in various
dogfood groups, we'll need to maintain separate values for the
feature flag for both "local" and "remote" opinions. Any strongly
expressed local opinion will always take precidence over any remote
opinion.
Any changes to these feature flags means that we need to invalidate
any PackageManager parsed APKs, since PackageParser changes it's
output depending on the flag state. Since other feature flags are
likely to need this type of invalidation in the future, define the
PackageManager cache using a SHA-1 hash of a collection of values
that should invalidate the cache.
Bug: 112545973
Test: atest android.os.SystemPropertiesTest
Change-Id: Ifafcdf15e40e694eb4126e06981aeb82df51da33
Properties accessed across partitions are now schematized and will
become APIs to make explicit interfaces among partitions.
Bug: 117924132
Test: m -j
Change-Id: I8e04f643197b6c8a60cc38c6979e41c5de3469f5
Merged-In: Iedfd3c1dda665006ea5410ee787c3ca447ac7db1
(cherry picked from commit c1246e6c36)
New external storage mount mode for installers so
that they can access obb dirs of all apps.
Bug: 111789719
Test: atest android.appsecurity.cts#testExternalStorageObbGifts
Change-Id: Ifab3c0702a431d542a6a3ae82ca8b67d9fcd7506
NETWORK_TYPE_NR was added in ag/5629764.
This cl adds this new type to the human-readable dump output and ensures
that new network types won't crash the dumpsys (instead they'll print
ERROR).
Bug: 120778989
Test: android.dumpsys.cts.BatteryStatsDumpsysTest#testBatterystatsOutput
Change-Id: I9a6b966ca961bde37eadd924ce3ba0166a943ff8
