unlinklib is no longer necessary since libraries are now either stored
in an ASEC container or in /data/app-lib
Replace lib directory with a symlink to the /data/app-lib directory even
if it's a dangling link. That way developers don't name something "lib"
in their directory which gets blown away during an update.
Change-Id: I142cf13dba9c13aafbaf0ff8d5e9872cbf1cc910
Make installd run with fewer privileges. This will help make
exploitation of installd based vulnerabilities more difficult
to perform.
installd now runs with the following privileges:
* CAP_DAC_OVERRIDE
* CAP_CHOWN
These two capabilities are needed to add and remove files
from application's home directories.
* CAP_SETUID
* CAP_SETGID
These permissions are needed to further drop privileges when
running dexopt as the application UID.
"installd" no longer runs with full root privileges. It cannot,
for example, mount and unmount filesystems, install modules,
perform direct I/O, etc.
Change-Id: Ib407e41e5e4c95f35a5c6a154812c5e8ae3006ed
To avoid downloading large OBB files separately for each user,
provide a shared view of /sdcard/Android/obb to all apps. Added
upgrade step to migrate the owners existing OBB files to become
the default view.
Bug: 7008879
Change-Id: I199321552fa7d4b97d5ed7fc3b3bc41f23618601
Most devices create the path in their init.rc, but create it just
to be sure. This fixes emulator boot failure.
Bug: 7058844
Change-Id: Icab3ce11c4304d972d13e1d9a0c269cfe05b9370
Introduce API to get per-user storage information, keep track
of services associated with users, and various small cleanup.
Change-Id: I5d4e784e7ff3cccfed627d66a090d2f464202634
Emulated external storage always has multi-user support using paths
like "/data/media/<user_id>". Creates and destroys these paths along
with user data. Uses new ensure_dir() to create directories while
always ensuring permissions.
Add external storage mount mode to zygote, supporting both single-
and multi-user devices. For example, devices with physical SD cards
are treated as single-user. Begin migrating to mount mode instead
of relying on sdcard_r GID to enforce READ_EXTERNAL_STORAGE.
Bug: 6925012
Change-Id: I9b872ded992cd078e2c013567d59f9f0032ec02b
This rewrites installd's code for deleting cache files to be better:
- Isn't really stupid about just deleting directories in the order
they are found on the filesytem; now collects all cache files and
sorts them by mod time to determine which to delete.
- Also deletes cache files in /data/media and for all users.
This also tweaks DeviceStorageMonitor to be a little smarter about
deciding when to flush cache files, having upper and lower limits
that it allows memory to get down to and then flash files to reach
the higher free storage limit. This should reduce the amount that
we perform flushing when starting to reach the storage limit.
Finally add a new pm command to force a cache flush.
Change-Id: I02229038e1ad553d1168393e5cb6d5025933271d
...mismatched uid: X on disk, Y in settings" errors on Froyo and Gingerbread
Deal more gracefully with the uid changing in three ways:
1. If the uid on disk has become root, then have installd change it to
the application's uid. This is to correct a potential case where
installd was interrupted while linking or unlinking the libs dir,
during which it temporarily changes the owner of the dir to root
so that a malicious app can not get in its way. So if the uid on
disk has become root, we assume we can safely just change it back
to the correct uid.
2. When scaning packages at boot, use the same "delete and rebuild data
directory" code for third party applications as we have for system
applications. This allows us to at least end up in a state where the
app will run, even if its data is lost.
3. But we really don't want to get in to case 2, so if an application
update is being installed and we find that the uid we now have for
the app is different than the one on disk, fail the update. This will
protect against for example a developer changing the sharedUserId of
their app and getting into this bad state.
Bug: 6295373
Change-Id: Ic802fdd818ac62449ff3c61d1fff1aa4d4942f39
Make sure /data/user directory permissions get explicitly set
regardless of the system umask.
Change directory permissions to 0711. No need for read permissions.
Bug: 3272072
Change-Id: Ida7f3c6656f4e0c9d0a9f7648491cc853c4e44ca
Switching activity stacks
Cache ContentProvider per user
Long-press power to switch users (on phone)
Added ServiceMap for separating services by user
Launch PendingIntents on the correct user's uid
Fix task switching from Recents list
AppWidgetService is mostly working.
Commands added to pm and am to allow creating and switching profiles.
Change-Id: I15810e8cfbe50a04bd3323a7ef5a8ff4230870ed
- Create /data/user directory and symlink /data/user/0 -> /data/data for
backward compatibility
- Create data directories for all packages for new user
- Remove data directories when removing a user
- Create data directories for all users when a package is created
- Clear / Remove data for multiple users
- Fixed a bug in verifying the location of a system app
- pm commands for createUser and removeUser (will be disabled later)
- symlink duplicate lib directories to the original lib directory
Change-Id: Id9fdfcf0e62406a8896aa811314dfc08d5f6ed95
* Add ability to select different personas to generate the path to be
created.
* Move hardcoded paths to read from init's set environment.
* Add unit tests for all the utility functions that build strings to
make sure they're correct.
* Fill in persona with "0" all the time now. Will be plumbed through in
later CL.
Change-Id: I0a7f6e3640cb6b052f8823080886ee79e90b679f
This will help legacy games that use dlopen() to directly access the
/data/data/<app>/lib directory before the
ApplicationInfo.nativeLibraryDir was part of the API.
Change-Id: Ie9f3e7239b6334708b5d086ffafe66a507f6d9da
Use int64_t because we're RPCing over to Java which uses a Long to
represent the filesystem space.
Change-Id: I842b2cf9f2ff8f980ff5895c1c8eb9ebefa1ea31
This adds three new features:
- <original-package android:name="com.foo" /> manifest tag.
This allows an .apk to specify another package it originally came from,
propagating all state and data from the old to new package.
- <adopt-permissions android:name="com.foo" /> manifest tag.
In some more complicated cases, a new .apk may be a combination
of multiple older .apks that each declared their own permissions.
This allows you to propagate the permissions from these other
.apks into the new one.
- A new system/etc/updatecmds directory.
You can place files here which describe data files to move from
one package to another. (See below for details.)
Also in this change: we now clean up the data directories of
.apks that disappear from the system image, and some improvements
to logging and reporting error messages.
A typical file in the updatecmds directory looks like this:
-------
com.google.android.gsf:com.google.android.providers.talk
databases/talk.db
com.google.android.gsf:com.google.android.googleapps
databases/gls.db
-------
This says that for com.google.android.sfs, there are two packages to
move files from:
From com.google.android.providers.talk, the file databases/talk.db.
From com.google.android.googleapps, the file databases/gls.db
As part of moving the file, its owner will be changed from the old
package to whoever is the owner of the new package's data directory.
If those two files had existed, after booting you would now have the
files:
/data/data/com.google.android.gsf/databases/talk.db
/data/data/com.google.android.gsf/databases/gls.db
Note that all three of these facilities assume that the older .apk
is completely removed from the newer system. The WILL NOT work
correctly if the older .apk still remains.
