Legacy apps can write their own entries in the system settings and
when they get uninstalled these are hanging around forever polluting
the settings table. We keep track of which settings an app added and
when the app is uninstalled we drop its custom entries. The trouble
was that we did the same thing for global and secure settings with
no explicit list of platform defined settings. Hence, if say a test
signed by the platform certificate touches platform defined global
or secure settings and is then uninstalled, we would drop the platform
defined entries portentially crippling the system.
bug:20113160
Change-Id: Ia21694f6326ad4a1795c4666027b366e26c05a23
(cherry picked from commit b128540dc741c424d4f652419686882b7a3bfa06)
When writing critical state to XML an excpetion can lead to creating
a malformed XML that is later parsed and may put the device in a bad
state. Hence, on any error while writing we should bail out and drop
the partially write state on the floor.
Corollary, any error on parsing can lead to having a partially read
state that is not consistent which may lead to writing this bad state
back to disk. Hence, on any error while parsing we should bail as
our current state may be unrecoverable.
Change-Id: Ia050c16198cb583f8a51263ad2035dbb948052b8
Will eventually be used by SystemUI and/or Settings.
Also fix SettingsProvider NPE.
Bug: 19993667, 19909433
Change-Id: Ie326849ac5f43ee35f728d9cc0e332b72292db70
The practice in the system server is to have lenient parsing code
to avoid the whole system being unusable due to a single XML error.
Change-Id: Idf44031edf5221966f3352ca2f83e284973ab95f
The restored set of enabled IMEs/subtypes is merged into the
current state of the system, rather than simply replacing it.
This is because we do not want to accidentally disable or
reconfigure something that the user is currently relying on.
There's a certain amount of repetitive activity here, rebuilding
the enabled-state data structures in a different format, but it's
important for maintainability that the restore code be able to
rely on the core InputMethodUtils implementation of reading/writing
the settings element.
Bug 19822542
Change-Id: If0104151b3526da6ecc669adde3119a239ecafeb
We do not want to accidentally disable the user's currently-enabled
accessibility service(s); presumably they turned them on during
setup for a reason. We now merge the prior + current states rather
than simply replacing the current state with the former.
Bug 19427367
Change-Id: I96eb47df57318c88066c5da6862f23f656639148
We now back up & restore the set of enabled notification listeners. Post-
restore, a listener that had been enabled on the ancestral device will be
enabled on the current device as soon as it's installed, matching the
user's previous configuration. After this has happened the enable/disable
state for that app is not "sticky"; disabling it again will work as
expected.
The infrastructure for accomplishing this is general: it can be leveraged
by any ManagedServices derivative. There's a bit of extra wiring in the
settings provider to support the restore-time information flow as well.
This is because ManagedServices -- like many other parts of the system --
monitors writes to the settings provider and does work in response to new
writes of the elements that it cares about. Unfortunately this means that
there is no way to use the BackupAgent's restoreFinished() hook to post-
process the restored data: by the time it is run, the ManagedService's
observers have already executed and culled any unknown components from
the description that was just pushed into settings.
As of this patch, the settings provider's restore logic knows that a
particular settings element will require a message to interested observers
about the restore-driven change. The message is delivered as a broadcast,
and is sent after the new value has been committed to the settings db.
Adding other system ManagedService handling that parallels this will only
require adding a new corresponding entry to the table of individual settings
for which the relevant "this settings element is being restored" broadcast
is sent, found in SettingsHelper.
(It isn't sent for all settings elements because very few settings elements
have semantics that require it; 3rd party code won't be running yet during
platform restore anyway; and sending up to hundreds of broadcasts during
setup & restore is far from ideal.)
Bug 19254153
Change-Id: Ib8268c6cb273862a3ee089d2764f3bff4a299103
We were doing the work for persisting settings on a background
priority thread and as a result persistence was not happening
correctly on a low end devices. Now we use a worker thread with
normal priority.
bug:19611897
Change-Id: I378c6e324935f5e3def8b986bd48486bfab55265
A previous change added more whitespace to settings_global.xml to
improve human readability, but the parser is overly picky in ignoring
whitespace. This patch makes it accept all whitespace strings.
Bug: 19696812
Change-Id: I3ebb8f6df2e25f4e6b6841da743be3f3a91e2442
Backup the owner info string and whether or not
owner info is to be shown on the lockscreen.
Watch for changes to the two settings in LockSettingsService
and inform backup manager.
Bump up version numbers for the new entity.
Bug: 19300363
Change-Id: I35485c961d18b26be68873f4d5eeedc5ae513cc8
Settings provider has special handling for location providers. The
code to set the location providers was calling itself recursively
instead of updating the setting value.
bug:19361236
Change-Id: I1ef1932c7faa8226b52123aa3f23f38048258328
An OutputStream buffers only by explicit contract. OutputStreamWriter
buffers internally, always. Do not get these behaviors confused.
Bug 19341967
Change-Id: I0610ed625b0175620083dd286f3a73c24956b171
This change modifies how global, secure, and system settings are
managed. In particular, we are moving away from the database to
an in-memory model where the settings are persisted asynchronously
to XML.
This simplifies evolution and improves performance, for example,
changing a setting is down from around 400 ms to 10 ms as we do not
hit the disk. The trade off is that we may lose data if the system
dies before persisting the change.
In practice this is not a problem because 1) this is very rare;
2) apps changing a setting use the setting itself to know if it
changed, so next time the app runs (after a reboot that lost data)
the app will be oblivious that data was lost.
When persisting the settings we delay the write a bit to batch
multiple changes. If a change occurs we reschedule the write
but when a maximal delay occurs after the first non-persisted
change we write to disk no matter what. This prevents a malicious
app poking the settings all the time to prevent them being persisted.
The settings are persisted in separate XML files for each type of
setting per user. Specifically, they are in the user's system
directory and the files are named: settings_type_of_settings.xml.
Data migration is performed after the data base is upgraded to its
last version after which the global, system, and secure tables are
dropped.
The global, secure, and system settings now have the same version
and are upgraded as a whole per user to allow migration of settings
between these them. The upgrade steps should be added to the
SettingsProvider.UpgradeController and not in the DatabaseHelper.
Setting states are mapped to an integer key derived from the user
id and the setting type. Therefore, all setting states are in
a lookup table which makes all opertions very fast.
The code is a complete rewrite aiming for improved clarity and
increased maintainability as opposed to using minor optimizations.
Now setting and getting the changed setting takes around 10 ms. We
can optimize later if needed.
Now the code path through the call API and the one through the
content provider APIs end up being the same which fixes bugs where
some enterprise cases were not implemented in the content provider
code path.
Note that we are keeping the call code path as it is a bit faster
than the provider APIs with about 2 ms for setting and getting
a setting. The front-end settings APIs use the call method.
Further, we are restricting apps writing to the system settings.
If the app is targeting API higher than Lollipop MR1 we do not
let them have their settings in the system ones. Otherwise, we
warn that this will become an error. System apps like GMS core
can change anything like the system or shell or root.
Since old apps can add their settings, this can increase the
system memory footprint with no limit. Therefore, we limit the
amount of settings data an app can write to the system settings
before starting to reject new data.
Another problem with the system settings was that an app with a
permission to write there can put invalid values for the settings.
We now have validators for these settings that ensure only valid
values are accepted.
Since apps can put their settings in the system table, when the
app is uninstalled this data is stale in the sytem table without
ever being used. Now we keep the package that last changed the
setting and when the package is removed all settings it touched
that are not in the ones defined in the APIs are dropped.
Keeping in memory settings means that we cannot handle arbitrary
SQL operations, rather the supported operations are on a single
setting by name and all settings (querying). This should not be
a problem in practice but we have to verify it. For that reason,
we log unsupported SQL operations to the event log to do some
crunching and see what if any cases we should additionally support.
There are also tests for the settings provider in this change.
Change-Id: I941dc6e567588d9812905b147dbe1a3191c8dd68
We compare the set of networks defined in the supplicant with the
set of networks described as "configured" by the Wifi Manager. The
latter excludes ephemeral networks, so any network definition we
find in the supplicant data that we do not also find in the
configured network set, we ignore for backup purposes.
Bug 18917753
Change-Id: I8e0f258d0cdb72d7bf9482fafe64dc921419fcb2
Restoring a device that supports telephony using the backup set of
a non-telephony device would cause the ringtone to be set to "None"
instead of the default value. This was due to the fact that on
non-telephony devices, the ringtone value was being backed up as
"_silent" instead of null.
Bug: 18777629
Change-Id: Idece1f874438a895169dbba7df1d716adea6660e
Reduce SettingsBackupAgent I/O when writing new checksum by wrapping
FileOutputStream in a BufferedOutputStream.
Bug: 18674340
Change-Id: Ia8169445d42d032e24d8a395e678295f67841a65
