In order to unbundle System Update, we need some to expose in the SDK
some way to reboot the device into recovery. Add a reboot() method to
PowerManager, protected by the android.permission.REBOOT permission.
as a temporary measure so unbundled Google components (GSF, etc.) can hold
it. (In the longer term, WRITE_GSERVICES won't be a system permission at
all, but it or something like it will be defined directly by GSF.)
You can no longer receive CONFIGURATION_CHANGED in a manifest, which is really really
bad (launching apps every time the screen is rotated!). A new LOCALE_CHANGED broadcast
is sent that you can receive in a manifest.
Change-Id: I80022375f0716db2e672382a29db3cea1af74702
Turning off backup in the Settings UI constitutes an opt-out of the whole
mechanism. For privacy reasons we instruct the backend to wipe all of the data
belonging to this device when the user does this. If the attempt fails it is
rescheduled in the future based on the transport's requestBackupTime()
suggestion. If network connectivity changes prompt the transport to indicate a
backup pass is appropriate "now," any pending init operation is processed before
the backup schedule is resumed.
The broadcasts used internally to the backup manager are now fully protected;
third party apps can neither send nor receive them.
(Also a minor logging change; don't log 'appropriate' EOF encountered during
parsing of a backup data stream.)
Lot of infrastructure for more things to go away when "clear system dialogs"
happens, and now do this when we turn on the lock screen.
Change-Id: I567130296fe47ce82df065ed58ef21b37416ceaf
Applications can now specify two more aspects of the restore process: whether
they need to run with their own custom Application subclass rather than being
launched in the usual restricted mode during restore, and whether it's okay for
the backup manager to kill the app process once restore has completed. The new
manifest attributes for these are, respectively, android:restoreNeedsApplication
and android:killAfterRestore.
If unspecified in the manifest, restoreNeedsApplication is false, and
killAfterRestore is true.
In order to support kill-after-restore cleanly, this change also adds a new
system-process-only interface to the Activity Manager, which will schedule a
"commit suicide" event on the target app's main thread looper.
The framework backup agents have been given the appropriate new backup
attributes as well.
Yet more work on improving the behavior of wallpapers. This fixes a few
problems in their lifecycle (corresponding change in the picker also
required for this), makes their animations better for hardware that supports
alpha fades, adds animations for the wallpapers themselves, eliminates
fixed size wallpapers, and adjusts the API for retrieving a wallpaper
bitmap to take care of scaling the raw wallpaper image to match the current
desired width and height.
Change-Id: If1c0aaceba4ea4e175dcb7a8416ca7ddbb9bfa6f
Merge commit 'c678a93a73c83e841032874bee9c202936da73c0' into eclair
* commit 'c678a93a73c83e841032874bee9c202936da73c0':
Fix issue #2056585: applications can put phone in inconsistent state wrt airplane mode
Packages that do not use android.permission.BACKUP_DATA will neither be backed
up nor restored. That permission is currently signature-only. In the future if
access to the backup/restore infrastructure is made available to arbitrary 3rd
party applications, the permission checks (and indeed, the permission itself)
can simply be removed.
This is all of the basic pieces:
- The WallpaperService now creates a surface with the window manager for its
contents.
- There is a simple service that displays a bitmap.
- The wallpaper manager takes care of starting and stopping the service.
- The window manager knows about wallpaper windows and how to layer them with
the windows that want to be shown on top of wallpaper.
Lots and lots of issues remain, but at this point you can actually write a
wallpaper service, select it in the UI, and see it behind an activity.
The Intent.EXTRA_KEY_CONFIRM extra can be set to require user confirmation before shutting down.
The ACTION_REQUEST_SHUTDOWN Intent is protected by android.permission.SHUTDOWN.
Signed-off-by: Mike Lockwood <lockwood@android.com>
* AccessibilityService -- document onBind() to not be implemented.
* GestureLibrary.getLearner() -- needs to be hidden.
* IntentSender -- remove protected constructors, document that it is retrieved from a PendingIntent.
* Hide permissions: SHUTDOWN, STOP_APP_SWITCHES.
* Context -- hide BACKUP_SERVICE.
* ContextWrapper -- hide getSharedPrefs bla h blah
* Intent.parseUri() -- fix docs.
* ApplicationInfo.FLAG_TEST_ONLY?!?
* Hide MockContext.getSharedPrefs blah blah
Merge commit 'ba989ad0ed91beda010d44945fa015d75d99cf67'
* commit 'ba989ad0ed91beda010d44945fa015d75d99cf67':
Use the old string for bookmarks permissions.
When we made the bookmark permissions public, we also changed their
names, which might break existing apps. Change them back. Depends
on a change in packages/apps/Browser
This is the problem where various things are listening for broadcasts
(such as battery status, PIN/PUK/Network) that an application can send
to cause harm to the system.
Solving this is tricky because many of these broadcasts are sticky,
and I have never figured out how to do permissions with sticky
broadcasts in a sane way. So instead, I am going to punt on the
general problem and just brute force it:
There is new a way for system components to declare specific
broadcast actions to be protected, which means that only the system
and the phone can send them. This is good enough for now. None
of it is exposed in the public API so we can make something a little
less stupid in the future if we ever need to.
This adds a new <path-permission> tag you can use inside of a <provide>
to define additional path-based permissions that broaden the global
read and write permissions. The initial use for this will be global
search, so that a content provider that is protected by permissions
can make a part of itself available to global search under another
permission. This addresses the issue with global search not being able
to request permissions it would need of providers it doesn't know
about at build time.
Merge commit 'dbcd9c34f378a93c1e7e8c91e035782daf66e5f4'
* commit 'dbcd9c34f378a93c1e7e8c91e035782daf66e5f4':
The BACKUP permission should have the signatureOrSystem protectionLevel,
This CL does the following:
+ adds an AbsoluteFileBackupHelper class for managing backup of files
known by absolute path, not based off of the app's getFilesDir() root
+ bumps up the collection interval from its testing-only default of 1 second
to 3 minutes
+ adds a SystemBackupAgent class to the main system package and names it as
the android:backupAgent for the main OS package. Right now this agent
only backs up & restores the wallpaper file.
+ amend the Wallpaper Service to inform the Backup Manager when the wallpaper
changes.
On the subject of the 3-minute collection interval before the backup actually
occurs: this can be short-circuited from an adb shell. Running the command
'bmgr run' will cause the Backup Manager to kick off any pending backup
operations immediately.
Merge commit '727f36c6a1c70ba5519ec9ce2da9ab1cf303a2ef'
* commit '727f36c6a1c70ba5519ec9ce2da9ab1cf303a2ef':
process: Fix bug where if a thread exited while we were changing its control
Fix the build: Remove ADD_SYSTEM_SERVICE, which I had accidentally
Merge commit '3dcea047c5c7a61a56f618815e298d7bd38e2678'
* commit '3dcea047c5c7a61a56f618815e298d7bd38e2678':
Remove obsolete FOTA_UPDATE permission (which should never have been
reintroduced in an errant and clumsy git merge operation.
Also remove permission label and description strings for now-deleted
permissions FOTA_UPDATE and (within the SettingsProvider package)
WRITE_GSERVICES.
made public, and wouldn't be used by any third party applications,
and no longer does anything regardless).
Also remove the WRITE_GSERVICES permission from the SettingsProvider
package's manifest (the declaration there was redundant with the one
in the core manifest, where all the other settings-related permissions
live -- no other core package includes its own permission definitions).
Merge commit '181fafaf48208978b8ba2022683ffa78aaeddde1'
* commit '181fafaf48208978b8ba2022683ffa78aaeddde1':
Retool the backup process to use a new 'BackupAgent' class
Backups will be handled by launching the application in a special
mode under which no activities or services will be started, only
the BackupAgent subclass named in the app's android:backupAgent
manifest property. This takes the place of the BackupService class
used earlier during development.
In the cases of *full* backup or restore, an application that does
not supply its own BackupAgent will be launched in a restricted
manner; in particular, it will be using the default Application
class rather than any manifest-declared one. This ensures that the
app is not running any code that may try to manipulate its data
while the backup system reads/writes its data set.
Merge commit '1e2e44e900cb9a25d548e27a20d65292a7f321bc'
* commit '1e2e44e900cb9a25d548e27a20d65292a7f321bc':
Fix wifi multicast API for public use.
Revert "Bug fixes and performance improvements"
