This change makes storage a soft restricted permission. When the
permission is whitelisted for an app then hodlding it allows the
app to access the full SD card as on a P device. If howerver, the
permisison is not whitelisted for an app then holding it allows
accessing the visual/aural collections in media store while the
app would run in its own isolated storage sandbox.
This change also connects the opt in/out application attribute
to how external storage is mounted remocing temporary code. The
attribute was renamed to convey that opting in legacy mode is
not somethung that is desirable or would be available in the long
run.
White at this also fix the default state of app ops for restricted
permissions to avoid allowing ops for non requested restricted
permissions to every UID as component access could skip permission
checks by cannot skip app op checks.
bug:130327036
atest CtsPermission2TestCases
atest CtsPermissionTestCases
atest CtsAppOpsTestCases
atest atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ExternalStorageHostTest
atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Change-Id: Ibb23cbb6a5c66d9c3823cc13562a1b903b391ffd
Move the early logic that decides whether ANGLE should be used
to a static public function that can be queried elsewhere
without setting up the environment further.
Bug: 130029351
Test: atest CtsAngleIntegrationHostTestCases
Change-Id: I908233d46631ec91dca714bff3f8fd9341160c9e
Game Driver and ANGLE require to disable graphics driver preloading, which
results in app launch time regression. Given that in early stage, only a few
applications will use them, we would like to make sure Zygote prefork comes
with a preloaded graphics driver, such that applications that don't go through
ANGLE or Game Driver can directly use Zygote prefork without having to load the
driver.
BUG: 130029351
Test: Verify with testing applications.
Change-Id: I8097f0f7a908be9967b08afb01dc0ce5ff7b3413
This allows applications to specify both a GLES layer app and a
Vulkan layer app, so both APIs can be debugged at the same time.
To specify multiple debug layer apps, colon separate them just
like the layers:
adb shell settings put global gpu_debug_layer_app app1:app2:appN
Bug: 110883880
Test: atest CtsGpuToolsHostTestCases
Change-Id: I5f721b7d9de59577adb6cc03e909ff99ca79d75e
To let developers focus on specific concrete storage devices in Q,
we need a volume name that can be used to point at the primary
external storage device. We had been using VOLUME_EXTERNAL for that,
but we've heard that certain apps are making deep assumptions that
media item IDs are globally unique across all volumes.
Thus these changes merge all volumes back into a single underlying
database, and VOLUME_EXTERNAL works with all of the currently
attached volumes. The new VOLUME_PRIMARY name can be used to focus
on the primary storage device when desired.
When developers try inserting items directly into VOLUME_EXTERNAL,
we gracefully assume they meant VOLUME_PRIMARY.
Bug: 128451765
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: I682ff6e9aaab4f5315a46c9825313a438548c7e6
The feature needs to be tweaked for it, and currently
regresses app startup.
Test: build jitzygote config, check there is no usap processes
Bug: 119800099
Change-Id: Ic33c539636f206da72d6d0cc51219e8d2dfe23dc
Some changes to follow string review suggestions:
- Simplify some messages.
- Replace 'Reboot' with 'Restart'.
- Notification action button order: 'Restart' button on the right.
Bug: 129100345
Test: verified with test app
Change-Id: I1ee97b0adbf74add68d3561fc647dc4923ee7237
This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
Set the default value for the USAP Pool to true for devices that don't
receive DeviceConfig profiles.
Bug: 128851983
Test: m & boot & check log for USAP creation
Change-Id: Id171336671a4fb8b8ad59c5b0e2e725657361107
(cherry picked from commit 0f7bce31a8)
This is for statsd to log new metrics, as statsd has moved to use
thermal service in framework instead of connecting to HAL directly.
Bug: 119688911
Test: Build and dumpsys thermalservice
Test: atest $ANDROID_BUILD_TOP/frameworks/base/services/tests/servicestests/src/com/android/server/power/ThermalManagerServiceTest.java
Change-Id: Ib334c448c3615bf9d1cb0f1b6c2dd8a83d44f371
restorecon_recursive updates the SELinux label of the files in the
filesystem, and then attempts to write the xattr "security.sehash" as an
optimization for future restorecons. Writing security.* extended
attributes requires CAP_SYS_ADMIN, which system_server doesn't have (and
shouldn't have).
Suppress the computation and writing of the hash value. It's not
needed.
This bug has been around for a long time, but due to the fix for
bug 62302954, the error message is being generated more frequently
now.
TODO: It would be better if the default for restorecon was to suppress
the hash computation, since otherwise it encourages programs to be
overprivileged with CAP_SYS_ADMIN. I'll plan on doing that in a followup
commit.
Bugs where this error message has been called out:
Bug: 129766333
Bug: 129271240
Bug: 128700692
Bug: 129925723
Test: install an APK and ensure that no "SELinux: setxattr failed"
error messages are generated.
(cherry picked from commit cb1dddad27)
Change-Id: Ifc5be24d14029cb616d5564366fc10a0b93c9939
It needs to use the same STOPSHIP logic for consistency with the
two other enforcement sites across the OS.
Bug: 129487770
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: I7a3fa836e0795912c264aae58a55472ffae3d8c3
* changes:
Use setEnable() when there is an installed image
Use gsid.isGsiEnabled to refine DynamicSystemService
Use FeatureFlagPersistent to guard DynamicSystem
Make feature flag settings_dynamic_system persistent
Check persistent feature flag 'settings_dynamic_system' before
invoking the installation service. User can still use gsi_tool if
the device is unlocked.
Bug: 119647479
Test: Verified with 'adb shell am' and test app.
Change-Id: If2265d877bc7eedf9b7a107bba04d2e95cf1b89a
System.currentTimeMillis() is NEVER okay to use to calculate a time delta.
The original spirit of this probably should have used SystemClock.uptimeMillis(),
but use SystemClock.elapsedRealtime because it's the same as
System.currentTimeMillis() in all the cases where System.currentTimeMillis() is
correct.
Test: Treehugger
Change-Id: Ib6e090425af83e7e822fb12814d87e8a37e2d2ac
For service and provider bindings from TOP and
FOREGROUND_SERVICE apps, don't elevate bound apps
to above BOUND_FOREGROUND_SERVICE.
For service bindings, it is possible to explicitly
request the binding to match the foreground app
such that the bound app can get similar privileges
of foreground permissions.
For instance, when a foreground service has a location
type, providers it binds to don't automatically get the
location privilege. On the other hand, sometimes apps
showing UI want to treat their dependencies also as if
they are showing UI.
This change does not affect the oom_adj calculation,
only the proc state calculation for bound processes.
New BIND_INCLUDE_CAPABILITIES flag can be used to restore old
behavior for bound services.
Introduces a new state PROCESS_STATE_BOUND_TOP
Bug: 128337543
Test: atest CtsAppTestCases:ActivityManagerProcessStateTest
Change-Id: I13733e7f43a78903299254bc110cd8f7a8db4c40
Per design pivot, access to legacy behavior will be determined by
the new "allowExternalStorageSandbox" manifest flag.
Bug: 124818022, 129487770
Test: atest --test-mapping packages/providers/MediaProvider
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: I169e5eb3612c23aad47204cde9ff263f9df6f8c1
- Also remove typed media permissions
- Leave typed media app-ops
Bug: 129716569
Test: Used apps, looked at permissions in the UI
Change-Id: If7714fb1a6955584157e1a60ab72b09e35287827
Add a new setting that allows a developer to specify where
to load ANGLE libraries from, rather than the default location.
This is only allowed for apps that are dumpable, i.e. can have
libraries injected. That includes debuggable, profileable,
and root.
To use the new setting:
adb shell settings put global angle_debug_package <package>
This allows a developer to build an APK directly from Chromium
and use it with a production build of Android. It will override
pre-installed system packages and updates.
Note: Use of ANGLE Developer Options UI will cease to function
until the debug package is uninstalled.
Bug: 80239516
Test: Apply setting, see new ANGLE used
Test: cts-tradefed run singleCommand cts -m CtsAngleIntegrationHostTestCases
Change-Id: Ib3b1fb52c0eb669e7ea931959a73aba2bd15bedf
1. Making a full copy of the config Builder's map so that changing
the map in the builder doesn't change the config's map.
2. Ensuring that location mode and brightness adjustment factors are
within valid ranges.
Bug: 129474588
Test: manual
Change-Id: I6117b7857afa10d71c1fc3de818c51d8719a281b
We're iterating on the design to let apps request via a manifest
flag if they'd like to opt-in or opt-out of storage sandboxing. The
default is to assume that P apps don't allow sandboxing, and that
Q apps do allow sandboxing.
Bug: 129487770
Test: manual
Change-Id: I8fddb35eed412c78622be4ccae57c7b7d2aa1286
