Test Harness Mode is a feature for device farms that want to wipe
their devices after each test run. It stores the ADB keys in the
persistent partition (used for Factory Reset Protection) then performs
a factory reset by broadcasting the MASTER_CLEAR intent.
Upon rebooting, the Setup Wizard is skipped, and a few settings are set:
* Package Verifier is disabled
* Stay Awake While Charging is enabled
* OTA Updates are disabled
* Auto-Sync for accounts is disabled
Other apps may configure themselves differently in Test Harness Mode by
checking ActivityManager.isRunningInUserTestHarness()
Bug: 80137798
Test: make && fastboot flashall -w
Test: adb shell cmd testharness enable
Change-Id: I91285c056666e36ad0caf778bffc140a0656fcfa
signature|privileged|vendorPrivileged|oem
permission
And grant it to SystemUI and Shell (adb shell am start).
Bug: 110956953
Test: atest WmTests:ActivityStarterTests
Change-Id: I4885a9a62ee8d47a3aef85f0e34b746c3f51ca2b
This change is the main check in for the historical app op feature.
The idea is to store a historical data about past app op rejections,
accesses, and durations per op for any UID state indefinitely.
Keeping all operations on record is not practical as app ops are
very frequently performed. To address this we are storing aggregated
data as snapshots where we store for every UID and its packages
how many times each op was accessed, rejected, lasted as an aggregate.
To allow history scaling indefinitely we are taking a logarithmic
approach with only the most recent state stored in memory and all
preceding state stored on disk. State on disk is stored in separate
files where each preceding file, i.e. for an older period, would
cover X times longer period with X number of snapshots covering
X times longer period. Initially X is ten but can be tweaked. For
example, the first file could contain data for ten days with daily
snapshots, while the file for older period would have data
for a hundred days with snapshots every ten days, etc.
The implementation is optimized for fast history update and no impact
on system runtime performance and minimizing memory footprint. We
are lazily persisting state to disk on a dedicated thread as this is
slow. We are also reading the relevant historical files on a query
as this is very rare as opposed to state updates.
The base snapshot interval, i.e. snapshot time span, in the initial
iteration and the logarithmic step are configurable. These can be
changed dynamically and the history would be rewriten to take this
into account.
Test: atest CtsAppOpsTestCases
bug:111061782
Change-Id: I55c32c79911ba12b2ace58d2a782b8df1e6bff60
Require callers hold a new MANAGE_ROLLBACKS permission to interact with
the RollbackManager.
Bug: 112431924
Test: atest RollbackTest, with new test for permissions added,
and with selinux in permissive mode.
Test: atest CtsPermission2TestCases:PermissionPolicyTest
Change-Id: I73f4f3457d85be580670cd69c89066d2cc348186
1. decouple disconnectCause and preciseDisconnectCuase from
preciseCallState.
2. expose preciseCallState to SystemAPI and expose
onPreciseCallStateChanged to System API
3. remove/hide ImsReasonInfo from PreciseDisconnectCuase
4. expose DiconnectCuase and PreciseDisconnectCause to System API
5. new onDisconnectCauseChanged API on PhoneStateListener for CS call
and use ImsCallSessionListener for IMS call(imsreasonInfo)
6. add read_precise_phone_state to shell apk to enable GTS test
Bug: 119890559
Test: atest GtsGmscoreHostTestCases:TelephonyHostTest#testPhoneStateListener
Change-Id: If9256feff16b6bcaef1dfe194c2b0df2a48436b0
If a system component calls to a remote provider, and that provider
hangs, we end up burning that Binder thread until the remote process
is killed for some unrelated reason.
This change adds an API to detect these hangs, and kill the remote
process after a specific timeout, but only when the caller holds a
permission that lets them kill other apps.
Bug: 117635768
Test: atest android.content.cts.ContentResolverTest
Change-Id: I81b0d993d9d585cdeb5e2559c68052ba6cbbced9
Bunch of changes:
- Split public SmartSuggestionsService info ContentCaptureService and
AugmentedAutofillService
- Renamed 'intelligence' packages to either 'contentcapture' or
'autofil.augmented'
- Renamed internal packages and classes.
- Changed permissions, resource names, etc...
- Moved Augmented Autofill logic from IntelligeceManagerService (R.I.P.) to
Autofill.
- Optimized IPCs by passing a String instead of the InteractionSessionId
(that also solves the view -> service dependency).
Test: atest CtsContentCaptureServiceTestCases \
CtsAutoFillServiceTestCases \
FrameworksCoreTests:SettingsBackupTest
Test: manual verification with Augmented Autofill Service
Bug: 119638877
Bug: 117944706
Change-Id: I787fc2a0dbd9ad53e4d5edb0d2a9242346e4652d
This change adds the MANAGE_ROLE_HOLDERS permission to shell, which
allows shell or code with Shell permission identity to use privileged
RoleManager APIs.
Bug: 110557011
Test: build
Change-Id: I6b8be9eec2a1dfb169536cfcda9d21cb802df327
This creates the PowerManager APIs that allow apps with the
appropriate permissions to interact with Dynamic Power Saver.
Bug: 111450127
Test: WIP
Change-Id: I5b9483fa0fba81a4ade622b1f3dbaec580b68a67
A lot of CTS tests involve the clipboard and making all of them input
focus is somewhat wasteful and invasive, instead we will adopt the
shell's permissions when relevant.
Test: atest ClipboardManagerTest
Bug: 6229949
Change-Id: I10f07e89b0baead625464c2afd5da1e229a45473
This splits the
- review permissions
- individually control permissions
- consent to manage wireleess (wifi + bluetooth)
properties.
Almost all code cares only for the first and it is now always true.
Hence a lot of code can be simplified.
Bug: 110431654
Test: atest PermissionsHostTest
started pre-M app
Change-Id: I733cd476ccd0bf5eaa59e9a9506db34f57c6baee
Since this permission protects system apis, this is required for
instrumentation tests.
Test: atest com.google.android.suspendapps.gts.SuspendPackagesTest
Bug: 79773970
Change-Id: Ib283018c50cc19c3958bd61e2d19befbf2805cc5
Add a new internal permission required to disable hidden API checks using
"am instrument". Grant this permission to the shell.
Test: $ adb shell am instrument --no-hidden-api-checks mypackage/.MainInstrumentation
Bug: 64382372
Change-Id: I193dba412560f17810ad0c67c733a1eec15fa7b7
- Fix issue with testFinishPipActivityWithTaskOverlay failing due to
new permission check in the system
Bug: 71716434
Test: atest CtsActivityManagerDeviceTestCases:ActivityManagerPinnedStackTests#testFinishPipActivityWithTaskOverlay
Change-Id: Ifbcd6c182d928f5aa5372d2db9fa71a142dc8474
Add a new platform-only permission for being able to change
app ops mode, so nothing outside of the platform can do this.
Bug: 62342672
Test: Booted, ran, settings works, shell works, apps install
Change-Id: I372e649c019a8f9b95919ff0da6f56612d7061c2
Now requires permission if targeting P.
Note that this is a separate permission from the existing one
that is required for instant apps to use foreground services. The
reason for this is that their semantics are different (the instant
apps permission is associated with an app op for control over what
the app is allowed, while the regular app permission is just a
normal permission that is always granted and only there for
auditing of apps), and there are probably going to be cases where
a developer will want to use a foreground service in the full
version of their app but not as an instant app.
Bug: 72116995
Test: atest CtsAppTestCases
Change-Id: I883c9515c307ed8e39f0bf888c4045944c8183ac
These commands allow a user to set the time and the timezone
from the shell. The shell now has signature|privileged
SET_TIME and SET_TIME_ZONE permissions.
Bug: 67751701
Test: manual - correctly sets the time and timezone from unrooted adb.
Change-Id: I1d2820fd7dadd8b1f3900c0592eb28210370ce88
Follow-up to ag/3614843 where we started to enforce the permission in
window manager.
Bug: 67109817
Test: builds
Change-Id: Id5712d2ed4c537da3a443f9c51aa15e3c84d670b
System singed components can watch for starting/finishing of
long running app ops. Also protected the APIs to watch op mode
changes with a singature permission for the cross-uid use case.
Test: atest com.android.server.appops.AppOpsActiveWatcherTest
bug:64085448
Change-Id: Id7fe79ce1de4c5690b4f52786424ec5a5d9eb0fa
Skip Bluetooth consent UI if running on shell, also fix a typo in log message.
Test: Manual test running `adb root; adb shell service call bluetooth_manager 6` and see if BT is on without consent UI.
Bug: 69872231
Change-Id: Ie513794a7fc13041259fd84734bfc651495ba5cf
Now requires permission if targeting P.
Note that this is a separate permission from the existing one
that is required for instant apps to use foreground services. The
reason for this is that their semantics are different (the instant
apps permission is associated with an app op for control over what
the app is allowed, while the regular app permission is just a
normal permission that is always granted and only there for
auditing of apps), and there are probably going to be cases where
a developer will want to use a foreground service in the full
version of their app but not as an instant app.
Bug: 72116995
Test: atest CtsAppTestCases
Change-Id: I95afb7185742b82c525e775ca20bb36015510b43
Now requires permission if targeting P.
Note that this is a separate permission from the existing one
that is required for instant apps to use foreground services. The
reason for this is that their semantics are different (the instant
apps permission is associated with an app op for control over what
the app is allowed, while the regular app permission is just a
normal permission that is always granted and only there for
auditing of apps), and there are probably going to be cases where
a developer will want to use a foreground service in the full
version of their app but not as an instant app.
Bug: 72116995
Test: atest CtsAppTestCases
Change-Id: If5a79e7ed5ab9e0edc77410315eb4d2df8ac850b
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.
Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
Added - CameraTest#testCameraAccessForIdleUid
Change-Id: If6ad1662f2af6592b6aca1aeee4bd481389b5e00
To protect user's privacy if a UID is in an idle state we allow
recording but report silence (all zeros in the byte array) and once
the process goes in an active state we report the real mic data.
This avoids the race between the app being notified aboout its
lifecycle and the audio system being notified about the state
of a UID.
Test: Added - AudioRecordTest#testRecordNoDataForIdleUids
Passing - cts-tradefed run cts-dev -m CtsMediaTestCases
-t android.media.cts.AudioRecordTest
bug:63938985
Change-Id: I8b0a0889c4aee07f4e1d3c7e4cee0821f2f8cd91
Idle UIDs are ones that were in the background for long enough time.
Currently such apps can access sensor data even though they have no
user perceptible components running. This affects the user's privacy
since an app in the background can use sensor data to infer location,
activity, habbits, etc.
The goal is to restrict sensor access for all apps in the ecosystem
regardless of target SDK which means the solution should be backwards
compatible. At the high level the sesnor service observes UID state
changes and applies policy like this:
Continuous sensors: for sensros in this reporting mode when the UID
goes in the background we will stop dispatching events. Once the UID
goes active we will start reporting the events. While this is an
app visible behavior change we would rather do that vs delivering
fake events.
Flush events: there is no change in behavior based on the UID state.
Hence, idle apps can request a flush and would get the completion
callback. From an app perspective flushing works at any point.
Trigger events: for sensors in this reporting mode when the UID
goes in the background we will not report any trigger events. From
an app perspective the sensor just did not pick up any events.
On-change events: for sensors in this reporting mode when the UID
goes in the background we will not report any change events. From
an app perspective the sensor just did not pick up any events.
Wake locks: since UIDs in idle state cannot acquire wakelocks we
will not be grabbing a wakelock on behalf of apps in that state.
Test: Added - SensorTest#testSanitizedContinuousEventsUidIdle
Added - SensorTest#testBatchAndFlushUidIdle
Pass - cts-tradefed run cts-dev -m CtsSensorTestCases
bug:63938985
Change-Id: Iee73dc034f5fe7fbea789a3b60db4290757c5052
We recently created a new GID that can be granted to critical system
processes, so that the system is usable enough for the user to free
up disk space used by abusive apps.
Define a permission for the GID so we can grant it to system apps,
and add the GID to core apps needed for system stability. (The list
was mostly derived from filling a disk and seeing what caused the
device to fall over.)
Test: builds, boots
Bug: 62024591
Change-Id: Icdf471ed3bed4eeb8c01f1d39f0b40c1ea098396
This change adds a special flag when binding to a service to request
instant apps to be considered as well (assuming the caller has the
permission to see instant apps). This flag is scoped only for the
platform to use and is intended only for development and testing.
Specifically, we have a class of CTS tests that has tests plus service
in the same APK (accessibility, printing, autofill, any other plugin
based sub-system).
Instead of doing the tediuous work split all these into one APK with
tests and one with the services where the latter exposes a remote
interface to the former, we will be adding shell commands to the
dedicated sub-system to allow temporary binding to plugins provided
by instant apps. The goal is not validating the plugin behavious,
rather a working plugin is required to test app side funcionality.
This change adds a shell command to allow the a11y manager serivce
to bind to plugins provided by instant apps. This is required to
be able to run relevant CTS test cases in instant mode.
Test: cts-tradefed run cts-dev -m CtsAccessibilityTestCases
cts-tradefed run cts-dev -m CtsAccessibilityServiceTestCases
Bug: 70978575
Change-Id: Ifced735a9a6e495747372dd8b00fdd64933a09c7
Without this change, `lowpanctl`, the command line tool for managing
LoWPAN networks, won't be able to work properly.
Cherry-picked from commit 1b730e4bd2c8e03d2a9bf041a4acd6fd6c0467f1.
Bug: b/65490659
Test: Manually
Change-Id: Ie44bac5c3bdc956dc2b1e79284ad18eae6931a32
