Move tethering out of ConnectivityService. All client would
use TetheringManager to talk with TetheringService directly.
Bug: 144320246
Test: -build, flash, boot
-atest TetheringTests
Change-Id: Ib051bea724a256f9c4572b566e46ae7b9c4abe6e
Merged-In: Ib051bea724a256f9c4572b566e46ae7b9c4abe6e
This adds new permissions required when setting the time /zone in
response to telephony signals and when setting the time / zone manually
along the lines of "principle of least privilege".
The intent is to later restrict the number of distinct processes that
can manipulate the device system clock / time zone property directly so
that all time changes go through the time / time zone detector services,
which can enforce policy, log the reasons for changes, and so on.
Bug: 140712361
Test: atest com.android.server.timedetector
Change-Id: Iabd3a5f449ad2ef2b6581475ef2535a4a8a88ef9
Since tethering is moved from systemServer to networkStack
process, it would lose privileged capability. Grant privileged
permissions for tethering individually. Grant MANAGE_USB to control
usb rndis function. Grant MODIFY_PHONE_STATE to know whether DUN
is required. Grant READ_NETWORK_USAGE_HISTORY to update tethering
usage. Grant UPDATE_APP_OPS_STATS to check WRITE_SETTINGS permission.
Bug: 144320246
Test: -build, flash, boot
-atest TetheringTests
Change-Id: Id6e71b58e027d6ba90551084367ef881652c2555
Grant TETHER_PRIVILEGED permissions to the shell identity
for use within CTS tests.
Bug: 145490751
Test: atest CtsTetheringTest
Change-Id: Ifad265cdc5e0b1b1b2fa8f4f79eeb7dd18493624
Merged-In: Ifad265cdc5e0b1b1b2fa8f4f79eeb7dd18493624
Add CONNECTIVITY_USE_RESTRICTED_NETWORKS permission to phone
package in privapp permission list.
Bug: 146222771
Test: build, flash, boot to home
Change-Id: I1c88b892b1d2f50856b139a5cad5dc8b07a006be
Settings application needs the previleged permission to retrieve UICC
card information by using Telephony Manager API.
Bug: 141256483
Test: Manual and SimStatusDialogControllerTest
Change-Id: I33d3bb1947d828e283ee62b7cd0936b8baf73acb
1. Grant ENTER_CAR_MODE and CONTROL_INCALL_EXPERIENCE permissions to the
shell identity for use within CTS tests.
2. Remove un-needed Telecom shell command.
Test: unit tests, telecom CTS tests, manual testing
Bug: 144345414
Change-Id: I54a2e723d6ef9552117e6cadf4ab7c449dd5e3cb
Per design doc (go/android-car-mode-design), added new system API to
enable car mode and specify a priority for the calling app.
Also modified UiModeManager to pass the package name of the caller to
UiModeManagerService.
Bug: 136109592
Test: Added new unit tests and CTS tests.
Test: Added Telecom test app functionality to verify.
Change-Id: I2848039c9ea18ba93e7694e04c4e5dc70759daa3
Merged-In: I2848039c9ea18ba93e7694e04c4e5dc70759daa3
Update the permissions and resource to reflect this move.
Bug: 135956699
Test: manual
Change-Id: I8c798f48e3a342cc2ce29d1f7f199ae1337ff2d0
Merged-In: I8c798f48e3a342cc2ce29d1f7f199ae1337ff2d0
CellBroadcastService is bound to by the platform to handle cell
broadcasts.
Bug: 135956699
Test: manual
Change-Id: I865c09d6d246779b706c06371df685d415618699
It's needed because when we broadcast ACTION_SIM_SLOT_STATUS_CHANGED
we want to allow the receiving app to start an activity from the
background.
The app already has it implicitly, since it has the same shared UID as
com.android.stk which has the permission for unrelated reasons. Making
it explicit makes it less likely it will lose the permission
accidentally re-introducing a subtly bug.
Bug: 132691768
Test: Builds
Change-Id: I85669423e628b4534a3f28efd17947ca2481454e
Merged-In: I85669423e628b4534a3f28efd17947ca2481454e
This reverts commit b59c74f3026ce1b7f978cb15275ee01dd001cf3b.
Reason for revert: depends on ag/9477322 being CP'd, or else causes breakages downstream (b/142399383)
Change-Id: I25b1695757d5fec8c00f05d033c33501f4fc5389
CellBroadcastService is bound to by the platform to handle cell
broadcasts.
Bug: 135956699
Test: manual
Change-Id: Ib1b20da03d271fc0b2736774b2ca6c6514944093
Merged-In: Ib1b20da03d271fc0b2736774b2ca6c6514944093
And also pre-grant it to all apps that currently get any storage
permission pre-granted
Test: atest SplitPermissionTest
m -j gts && gts-tradefed run commandAndExit gts-dev -m GtsPermissionTestCases --test=com.google.android.permission.gts.DefaultPermissionGrantPolicyTest#testDefaultGrantsWithRemoteExceptions
Manual testing:
All combinations of
- App targetSdk = 28 and 29 (and 22 for extra credit)
- App having the <uses-permission> tag for
ACCESS_MEDIA_LOCATION or not
- Upgrade from P->Q-QPR and from vanilla Q->Q-QPR
Further upgrade of targetSdk from 28->29 while on Q-QPR
==> All permission behavior should make sense. Sometimes there
are weird, but expected behaviors. Hence we need to
collect the results and then look at the unexpected ones.
See SplitPermissionTest for some tests I added for the
location-background permission which was split from
the fine/coarse-location permissions
Fixes: 141048840,140961754
Change-Id: Ib9f50d25c002036f13cf2d42fc4d1b214f20920c
This reverts commit 0999f93e4a00a7991d13cfca185e99b9fbecbc38.
Reason for revert: There is a better choice (ag/8051966) than adding the permission to resolve b/130827484
Bug: 130827484
Change-Id: I1b8fd74a173d4b0ef981e51f7e0a9c5f84d5f416
com.android.providers.downloads
Required because DownloadManager needs to whitelist
a broadcast for bg activity starts.
Bug: 135515407
Test: builds, boots (it wouldn't without this)
Change-Id: Id6c22d1397417bbc10e2829e563f29cbccccd8bf
This permission is necessary for Q as it allows systemui to tag
notifications of apps that are using certain AppOps. This is a P
feature that has regressed when the permission was made privileged.
This is used by AppOpsController in order to obtain updates on any apps
(onOpActiveChanged, onOpNoted). There is no other way to obtain the
updates from apps that are not systemui, as specified in AppOpsManager.
Talked to moltmann@ to verify that this is the correct API to use for this feature.
I'll remove this permission once SystemUI does not need it anymore.
In particular, if AppOpsController does not require it for being notified of AppOps changes.
Fixes: 134747188
Test: build
Test: dumpsys SystemUI. Check that AppOpsController is getting updates.
Change-Id: I08cca4361a7fbfa8b2eb419f1459b0b8bce93a5f
Most of the time MediaProvider is making Binder calls on behalf of
an external caller, so use PropagateWorkSourceTransactListener to
ensure that we record the original source.
Bug: 125725916
Test: atest --test-mapping packages/apps/MediaProvider
Change-Id: I591dfb2903a54239639452954ea2d780e79b280c
The native services should specify their permissions in platform.xml if
they need internet permission, otherwise the eBPF program will block the
socket creation request. Fixing the known services that are in group
AID_INET but didn't specify their permission in the xml file.
Bug: 132217906
Test: CtsJdwpTestCases dumpsys netd trafficcontroller
Change-Id: I84cde7d3757953bc0bf761727d64a715bcdd68bb
Merged-In: I84cde7d3757953bc0bf761727d64a715bcdd68bb
(cherry picked from commit e5d6f0fa6c3fd77572f5b29f416acbf304abf9da)
Now that we have LocalCallingIdentity, we can start caching it in
very narrow cases. We must be careful to not cache too long, since
any changes to granted permissions for the UID mean we need to
re-evaluate any cached answers.
The best middle-ground for this in the Q release is to use an active
camera session as a proxy for when we should create a cache object
and then later invalidate it. (It's very unlikely that a user
changes permissions while actively using the camera, and this is
a strong signal that the caller is sensitive to performance.)
Many other sprinkled optimizations to avoid extra binder calls into
the OS, such as aggressively caching VolumeInfo related details.
Track IDs that are owned by each LocalCallingIdentity, to speed up
all future security checks.
Dispatch all change notifications asynchronously, and delay them by
several seconds while the camera is being actively used, to give
more important foreground work a fighting chance. Invalidate
thumbnails asynchronously.
Optimizations to ModernMediaScanner where it's safe to skip the
"reconcile" and "clean" steps when we're focused on a single file
that we successfully scanned.
Local tests show this CL improves performance of a test app that
takes 100 rapid shots by 45%. (All the collective optimizations
done so far this week add up to a 70% improvement.)
Bug: 130758409
Test: atest --test-mapping packages/providers/MediaProvider
Exempt-From-Owner-Approval: trivial manifest change
Change-Id: I38cc826af47d41219ef44eae6fbd293caa0c01d5
Hence mark the new split permissions as 29 instead of 10000.
Fixes: 132898943
Test: atest SplitPermissionTest
Change-Id: I0aa3e9b4d60cea1a59b891f2fb2d94a734efebf2
