This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
This API was added in Q but is not necessary anymore as
Os#setsockoptTimeval was exposed as public API.
Test: m
Fixes: 129433363
Merged-In: If4a75f23c6c0589c23cadce3b088966649062463
(cherry picked from commit 77f9d85f12)
Change-Id: I4669eb2f9fa073d765be6bcb5863a5887eaf1ab5
The SocketUtils.attach*Filter and SocketUtils.addArpEntry methods
were added there because they could not be added as JNI inside
the NetworkStack. This was not possible because on Go devices,
the NetworkStack was a jar library. But now, Go also uses an APK.
Hence, move these methods to the NetworkStack.
Fixes: 129433183
Merged-In: I66d7b3e4fbfa32bb0bc853e8cf9399031daff8a9
(cherry picked from commit fe71be2b04)
Change-Id: Ice433a41469e784385f19498c154345d7b9c69b5
Set the default value for the USAP Pool to true for devices that don't
receive DeviceConfig profiles.
Bug: 128851983
Test: m & boot & check log for USAP creation
Change-Id: Id171336671a4fb8b8ad59c5b0e2e725657361107
(cherry picked from commit 0f7bce31a8)
There needs to be a single source of truth about whether DWB is
enabled or disabled.
Bug: 123930917
Test: atest FrameworksServicesTests:DisplayWhiteBalanceTintControllerTest
Change-Id: If634b46c2d0da123901bd5833e2114d958957540
(cherry picked from commit ff6770d669)
This is for statsd to log new metrics, as statsd has moved to use
thermal service in framework instead of connecting to HAL directly.
Bug: 119688911
Test: Build and dumpsys thermalservice
Test: atest $ANDROID_BUILD_TOP/frameworks/base/services/tests/servicestests/src/com/android/server/power/ThermalManagerServiceTest.java
Change-Id: Ib334c448c3615bf9d1cb0f1b6c2dd8a83d44f371
This reverts commit 063eefa78a.
The problem with this fix is that services expect to be able to
determine if a node has certain capabilities, even if it is disabled,
and doesn't have the action associated with them.
Change-Id: Ia17ed6ed5f92737226cfe704dc71957f2ae5541b
Fix: 120247282
Test: it builds.
restorecon_recursive updates the SELinux label of the files in the
filesystem, and then attempts to write the xattr "security.sehash" as an
optimization for future restorecons. Writing security.* extended
attributes requires CAP_SYS_ADMIN, which system_server doesn't have (and
shouldn't have).
Suppress the computation and writing of the hash value. It's not
needed.
This bug has been around for a long time, but due to the fix for
bug 62302954, the error message is being generated more frequently
now.
TODO: It would be better if the default for restorecon was to suppress
the hash computation, since otherwise it encourages programs to be
overprivileged with CAP_SYS_ADMIN. I'll plan on doing that in a followup
commit.
Bugs where this error message has been called out:
Bug: 129766333
Bug: 129271240
Bug: 128700692
Bug: 129925723
Test: install an APK and ensure that no "SELinux: setxattr failed"
error messages are generated.
(cherry picked from commit cb1dddad27)
Change-Id: Ifc5be24d14029cb616d5564366fc10a0b93c9939
With the change in I4f13638598037acaeb30d61c8d5178f45882fcba
to separate the PackageWatchdog package expiry deadline from the explicit
health check deadline. It would be cleaner for ExtServices to supply
this deadline per-package. We now do that as a field in
PackageInfo.
Bug: 120598832
Test: Builds
Change-Id: I29e2d619a5296716c29893ab3aa2f35f69bfb4d7
The objective is to allow us to push model parameters by using a settings flag,
without the need of pushing a new model file.
Settings.Global#TEXT_CLASSIFIER_ACTION_MODEL_PARAMS stores a comma
separated string that contains these three fields:
1. required_model_version
2. required_locales
3. serialized_preconditions
To ensure serialized_preconditions is applied to the target model file,
TextClassifierImpl only applies the serialized_preconditions when
required_model_version and required_locales are both met.
Test: atest frameworks/base/core/tests/coretests/src/android/view/textclassifier/
Test: adb shell settings put global text_classifier_action_model_params 'required_model_version=0,required_locales=en,serialized_preconditions=FAAAAAAADgAIAAAAAAAAAAAABAAOAAAAAAAAAA=='
Observe that the flag is actually applied in the model.
Test: Ensure that finalize is called when the activity is dead.
BUG: 123616497
Change-Id: Ie42dcfeee705c83bbb693a5c1a0fedd0821df5e7
There are a few assumptions in the rollback manager that fail in the
multi-user case that need to be fixed:
* getAllSessions only returns sessions for the specific user.
* Session callbacks are only called on sessions associated with the
registered user.
* getPackageInfo only returns info for the specific user.
Fix these issues so that rollbacks will work properly, in particular
when the initial install session is owned by a non-system user.
Bug: 129809507
Bug: 129397974
Test: On single user device: atest RollbackTest StagedRollbackTest
Test: On primary user of multi-user device: atest RollbackTest StagedRollbackTest
Test: On multi user device manually:
adb install RollbackTestAppAv1.apk
adb install --user 10 --enable-rollback RollbackTestAppAv2.apk
-- verify the install succeeded --
adb shell pm rollback-app com.android.tests.rollback.testapp.A
-- verify the rollback succeeded --
Test: On multi user device manually:
adb install RollbackTestAppAv1.apk
adb install --staged --user 10 --enable-rollback RollbackTestAppAv2.apk
adb reboot
-- verify the install succeeded --
adb shell pm rollback-app com.android.tests.rollback.testapp.A
adb reboot
-- verify the rollback succeeded --
(cherry picked from commit d81ff97866)
Merged-In: I1a7cf101b3bc3575421629c4bf0ff63418eb8731
Change-Id: I1a7cf101b3bc3575421629c4bf0ff63418eb8731
Unit tests for HashedStringCache that was commited in earlier CL
ag/6867725 . This is testing the various inputs and expected outputs.
Testing also revealed some vulnerability for invalid input so added
validation in the code under test.
Bug: b/129870147
Test: This is the test file
Change-Id: I7387f808df87a869f81339cd4aea99b23dfc06bd
It needs to use the same STOPSHIP logic for consistency with the
two other enforcement sites across the OS.
Bug: 129487770
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: I7a3fa836e0795912c264aae58a55472ffae3d8c3
