Added support for privapp-permissions config element. It allows to explicitly
control what privileged permissions applications should be granted.
Feature is controlled by ro.control_privapp_permissions property.
Possible values:
- 0/false, the feature is completely disabled - signature|privileged
permissions are granted automatically without logging. *Default behavior*
- 1/true, enforce that only whitelisted permissions are granted. Only
devices with ro.control_privapp_permission=1 will pass CTS tests.
Test: Manual
Bug:31008485
Change-Id: I93a8c2782cc72b3953f32c237086d08d82ac0d5b
DownloadProvider is now based completely on JobScheduler, and deep
inside the platform we allow foreground
downloads (FLAG_WILL_BE_FOREGROUND) to run even while the device is in
doze, so it doesn't need to be temporarily whitelisted anymore.
BUG: 29056149
Change-Id: I3658bb42aeeee5d5528f91ec990d6e1bc54257b6
These are permissions that were mapped to gids but we need
to keep them listed event though they are no longer mapped
to gis until an upgrade from L to the current version is to
be supported. These permissions are built-in and in L were
not stored in packages.xml as a result if they are not defined
in the platform.xml while parsing packages.xml we would
ignore these permissions being granted to apps and not
propagate the granted state.
From N we are storing the built-in permissions in packages.xml
as the saved storage is negligible (one tag with the permission)
compared to the fragility as one can remove a built-in permission
which no longer needs to be mapped to gids and break grant
propagation.
bug:27185272
Change-Id: I65e05c4f7edd9a934888b4d0974100aa4e9a9453
* Added GID "wakelock" (3010) to the list of groups the System Server
belongs to.
* Added GID "wakelock" to the list of assigned groups for the
"android.permission.BLUETOOTH_STACK" Android permission.
* Grant CAP_BLOCK_SUSPEND to processes that belong to GID "wakelock"
Bug: 25864142
Change-Id: I8a9a5f11e4a9ecd1abf2d4f4b90ec89b3101332e
For the system user, enable apps based on the following conditions:
- app has no launcher icons or has INTERACT_ACROSS_USER_FULL permission
- app is whitelisted
- app is not in the blacklist
Bug: 23283899
Change-Id: I90fa266e8cfb28d002e5f792998fdddb6a1e6969
We now have a new whitelist you can put apps in, which
opts them out of the old battery saver mode and new app idle,
but doesn't keep them from going in to doze. This is for a few
special cases that we had previously whitelisted for battery saver,
and inherited to the new modes... ultimately we should figure out
how to get these apps out of the whitelist completely, but this
will help for now.
Apps in this new whitelist are not shown in the UI, because they
are still significantly restricted by not being able to operate
normally in doze. This also means they are still visible in the
list of all apps for the user to be able to put them on/off the
complete whitelist if that is what they really want.
In the course of doing this, I needed to clean up code in the
network policy manager to better separate management of the
two firewall rules that now have different whitelists applied
to them. This also hopefully just generally simplifies and cleans
up that code. Hopefully!
Change-Id: I92e15f2f85899571dd8b049b5e3eb1354f55f353
Typical apps are restricted so they can only view shared storage
belonging to the user they're running as. However, a handful of
system components need access to shared storage across all users,
such as DefaultContainerService and SystemUI.
Since WRITE_MEDIA_STORAGE already offers this functionality by
bypassing any FUSE emulation, reuse it to grant the "sdcard_rw" GID
which is no longer handed out to third-party apps. Then we change
the FUSE daemon to allow the "sdcard_rw" GID to see shared storage
of all users.
Bug: 19995822
Change-Id: I504c2a179ba74f142ed0d32da5baa69f4212cd82
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: I62fb25d126dd815aea699b33d580e3afb90f8fd2
This will eventually allow us to have a single unified filesystem
instead of requiring zygote to use bind mounts.
Change-Id: I29b819ab51498b4bab874e0367b1ab4165f84025
We continue to compile external/apache-http into ext.jar. This contains
a few changes apart fom the classes moving around :
- Makefile changes to build docs and api-stubs for now. A future change
will revert these changes and remove these classes from stubs and
docs.
- Hardcode event IDs in legacyerrorstrings to avoid a dependency between
the frameworks and apache. These strings are on their way out and will
never change anyway.
- Remove imports due to {@link} tags and use {@code} instead.
- Remove an accidental(?) dependency on apache commons code that's a
part of apache-http.
bug: 18027885
Change-Id: I51cd038d846ec7d02c283a4541b10a6a9cf62ecf
Add FM permission like KK to support FM radio app.
Change-Id: Ifb76f63e3136a5f88306903fd28e9abbb01e69c9
Signed-off-by: Benson Huang <benson.huang@mediatek.com>
Conflicts:
data/etc/platform.xml
Some system apps doing hotword training need low-level access to
audio hardware, beyond what the existing HAL offers. For now, give
them the audio GID.
Bug: 17763721
Change-Id: I8025c3abacae13a6ffec4e10e4976a67ab505bdf
The network policy manager now monitors battery save mode and,
when in battery save, uses its facility to block access to metered
networks to block access to all networks. That is, it tells the
network management service that all networks have an (infinite)
quota, and puts various app uids to be restricted under quota
interfaces as appropriate.
This new network blocking needs a new facility to be able to white
list apps, such as GmsCore. To do this, I refactored the package
manager's permission configuration stuff into a separate SystemConfig
class that can be used by others, and it now has a new tag to
specify package names that should be white-listed for power save
mode. These are retrieved by the network policy manager and used
to build a whitelist of uids.
The new general config files can now go in system/etc/config,
though currently everything still remains in the permissions dir.
Still left to be done is changing the semantics of what uids are
allowed in this mode, to include all perceptable uids. (So that we
can still do things like background music playback.) This will be
done in a follow-on CL.
Change-Id: I9bb7029f61dae62e6236da5ca60765439f8d76d2
Write supplementary GIDs to packages.list for lower-level system
components to parse.
WRITE_EXTERNAL_STORAGE also implies sdcard_r GID. Switch to always
enforce READ_EXTERNAL_STORAGE permission. Update permission docs to
mention new behavior.
Change-Id: I316ba4b21beebb387ac05c80980ae9b38235b37d
This gid is not needed by camera-using apps, since all camera access
is mediated by the camera service, which does not depend on gid for
permission checks.
Bug: 9904186
Change-Id: I859e6cabc905af9d98e2b09f5bbad086b5eb2b26
Rework how the shell user is defined so that it is
associated with an actual apk, instead of being a free
roaming uid with special permissions assigned to it.
This allows us to correctly account for its operations
in app ops.
Implement a special case for the root user in app ops --
it is always allowed, always with the package name "root".
Add various code to take care of cleaning up package state
from app ops -- when packages are uninstalled, and during
boot if any packages currently being stored no longer exist.
Also fix a bug in the activity manager to correctly grant
permissions in all cases when onNewIntent() is being called.
Change-Id: Iae9f6d793ee48b93518c984ad957e46ae4582581
Create a BLUETOOTH_STACK permission to share between all users of
Bluetooth apk. Bluetooth Manager binds to apk of current user
bug 6925422
Change-Id: I2df5546e977c2d77bc66d97d12479d933826922a
We also now send the correct broadcasts to each user.
You no longer need to be running the shell as root
to be able to create/remove users.
Also added some more man page material to the pm command, and
got rid of a bunch of showUsage() calls that now make error
messages completely buried because of how large the usage info
has become.
And the package manager now shows the user each historical broadcast
was sent to.
Change-Id: Iab42498e1352a0c023069139c80fc04d2d69ab4b
1. Added methods to the ActivityManagerService remote interface
that allow accessing content providers outside of an application.
These methods are guarded by an internal signature protected
permission which is given to the shell user. This enables a
shell program to access content providers.
2. Implemented a shell command that takes as input as standart
fagls with values and manipulates content via the content provider
mechanism.
Change-Id: I2943f8b59fbab33eb623458fa01ea61a077b9845
- IME service now switches between visible and perceptible depending on
whether it is being showm, allowing us to more aggressively free its
memory when not shown.
- The activity display time is no longer delayed by the activity
transition animation.
- New -R (repeat) option for launching activities with the am command.
- Improved some documentation on Loader to be clear about some methods
that apps should not normally call.
- FrameworkPerf test now allows you to select individual tests to run.
Change-Id: Id1f73de66dc93d63212183958a72119ad174318b
We now do the screenshot in a separate process.
Also change the recents panel to not use hardware acceleration
on lower-end devices. And improve how it gets shown to not
load all data up-front which results in a long delay when you have
lots of recents.
Change-Id: Ia309a90f9939e5405758621b3f7114597bd0c02a
The problem is that the audio HAL fails to acquire the wake lock when playing the notification.
This is because of a change that removed the mediaserver process form the system group for honeycomb.
The fix consists in requesting the wake lock from PowerManagerService when AudioFlinger mixer
wakes up.
A consequence of this change is that audio HALs or pcm drivers do not have to hold wake locks
anymore as in the past.
Change-Id: I4fb3cc84816c9c408ab7fec75886baf801e1ecb5
Introduces new "net_bw_stats" group which will protect reading
detailed bandwidth statistics from the kernel. Also introduce
"net_bw_acct" group which will enable specific applications to
request that their network traffic be counted against other UIDs.
This change associates manifest permissions with the low-level GIDs.
Change-Id: If3fc28053afda201ff305d798a8878ff1f35b997
Updates aapt to know about these. Also updates aapt badging to:
- No longer crash due to the change to how we match unspecified
configuration resources.
- Report the new "smallest screen" supported screen configs.
- Infer old screen size buckets based on new smallest width attrs.
- Report all of the different labels and icons in an app.
Change-Id: I7376042b817391bd070f549cebbc7f03be4635c8
