We now maintain a mata-state with each permission in the form of flags
specyfying the policy for this permission. This enables support of the
following use cases:
1. The user denies a permission with prejudice in which case an app cannot
request the permission at runtime. If an app requests such a permssion
it gets a denial unless the user grants the permission from settings.
2. A legacy app with disabled app-ops being upgraded to support runtime
permissions. The disabled app ops are converted to permission revocations.
The app ops manager is a part of the activity manger which sits on top
of the package manager, hence the latter cannot have a dependency on the
former. To avoid this the package installer which is the global
permission managment authority marks the permission as revoked on
upgrade and the package manager revokes it on upgrade.
3. A device policy fixing a permission in a granted or revoked state. This
additional information is folded in the meta-state flags and neither
apps can request such permissions if revoked not the user can change
the permission state in the UI.
Change-Id: I443e8a7bb94bfcb4ff6003d158e1408c26149811
Since package and primary storage movement can take quite awhile,
we want to have SystemUI surface progress and allow the Settings
app to be torn down while the movement proceeds in the background.
Movement requests now return a unique ID that identifies an ongoing
operation, and interested parties can observe ongoing progress and
final status. Internally, progress and status are overloaded so
the values 0-100 are progress, and any values outside that range
are terminal status.
Add explicit constants for special-cased volume UUIDs, and change
the APIs to accept VolumeInfo to reduce confusion. Internally the
UUID value "null" means internal storage, and "primary_physical"
means the current primary physical volume. These values are used
for both package and primary storage movement destinations.
Persist the current primary storage location in MountService
metadata, since it can be moved over time.
Surface disk scanned events with separate volume count so we can
determine when it's partitioned successfully. Also send broadcast
to support TvSettings launching into adoption flow.
Bug: 19993667
Change-Id: Ic8a4034033c3cb3262023dba4a642efc6795af10
Since packages can be moved to other volumes, all relevant commands
to installd now require an explicit volume UUID parameter.
Bug: 20275577
Change-Id: Ie84f5bc43c7aada5800b8d71692c7928b42b965e
The READ_PHONE_STATE permission protects PII information and
is in the Phone group. This change is adding the corrseponding
app op for gating access to the API guarded by READ_POHNE state
which will be used instead as an access control for legacy apps.
Change-Id: I2ff895a5a0e529f26ec0ad706266a30d829268ba
Add API to determine the possible candidate volumes that a package
can be moved to. For example, it currently knows that we need to
move ASEC-based apps through internal storage before migrating them
to a private volume.
Comparator for consistent VolumeInfo ordering when displayed in UI.
Fix native library symlink to be volume UUID aware.
Bug: 19993667
Change-Id: I68d5fac5f0f776ac1c7dd15e7a984bfe2704f3f7
- add private PackageManager APIs for setting/getting the default
Browser App package name
- serialize / deserialize the default Browser App package name per User
Also relax the Hosts name validation for the AppLinls feature. Now we
just care if the IntentFilter is having an HTTP or HTTPS scheme.
Change-Id: I4436f66ac6beff57e14f7f3a2a00b0b582c03be9
- add private API PackageManager.getAllIntentFilters(String)
for getting all IntentFilters from a given package
- update IntentFilterVerificationInfo to use an ArrayList<String>
for domains instead of a String[]
- if you make an App a default domain handler then make the
others as non default
- create an IntentVerificationInfo even if the App IntentFilters
do not need to be verified. This would be done only if the App
has some domain URLs defined and would allow to make it the
default handler for a domain
- a few code optimizations here and there
Change-Id: I4535372a0bb1a2c8e662e1485be8ca700003e9b3
PackageManager now offers to load/unload packages when expanded
volumes are mounted/unmounted. Expanded storage volumes are still
treated as FLAG_EXTERNAL_STORAGE from a public API point-of-view,
but this change starts treating the INSTALL_EXTERNAL flag as
exclusively meaning ASEC containers.
Start tracking the UUID of the volume where a package is installed,
giving us a quick way to find relevant packages. When resolving an
install location, look across all expanded volumes and pick the one
with the largest free space. When upgrading an existing package,
continue preferring the existing volume. PackageInstaller now knows
how to stage on these volumes.
Add new movePackage() variant that accepts a target volume UUID
as destination, it will eventually move data too. Expose this
move command through "pm" command for testing.
Automount expanded volumes when they appear.
Bug: 19993667
Change-Id: I9ca2aa328b9977d34e8b3e153db4bea8b8d6f8e3
The purpose of this feature is to prompt the Disambiguation dialog
to Users as less as possible.
- add the new "autoVerify" property to the IntentFilter class
- add new APIs to PackageManager:
verifyIntentFilter(int, int, List<String>),
getIntentVerificationStatus(String, int),
updateIntentVerificationStatus(String, int, int),
getIntentFilterVerifications(String)
for supporting IntentFilter verification
- add support for multi-user
- update PackageManager for IntentFilter verification:
basically when we are installing a new package, ask for verification
of all domains from the IntentFilters that have the "autoVerify" to true.
This means that the PackageManager will send a well defined protected
broadcast (with a new INTENT_FILTER_NEEDS_VERIFICATION action) to
an IntentFilter verifier to do the real job of verification.
We are passing in the broadcast Intent all the necessary data for
doing the verification. The PackageManager will receive as response
the result code of the domain verifications and, if needed, the list
of domains that have failed the verification.
- add a new INTENT_FILTER_VERIFICATION_AGENT permission that needs to
be set by an intent filter verifier to be considered as a trustable
party by the PackageManager.
- add also a new BIND_INTENT_FILTER_VERIFIER permission for securing
the binding between the PackageManager and a service doing the
intent filter verifications.
- add ResolveInfo filterNeedsVerification which is a boolean
to knows if the IntentFilter is of a type that needs a verification
(action VIEW, category BROWABLE, HTTP/HTTPS data URI)
- add new "domain-preferred-apps" / "d" dump command for listing the
prefered Apps for all domains
- add new "intent-filter-verifiers" / "ivf" command for listing the
IntentFilterVerifier used
- introduce the IntentVerificationService which is a basic service
for verifying IntentFilters. This service will send HTTPS requests
to the domain declared in the IntentFilter(s) for doing the
verification. This service has a low priority level so that it
can be replaced by a more sophisticated one if needed. This service
is updating the PackageManager intent verification states thru
the updateIntentVerificationStatus(...) API.
- update MockPackageManager
Change-Id: I0bfed193d0bf1f7c7ac79f6c1b160b7ab93b5fb5
Before all permissions were granted at install time at once, so the user
was persented with an all or nothing choice. In the new runtime permissions
model all dangarous permissions (nomal are always granted and signature
one are granted if signatures match) are not granted at install time and
the app can request them as necessary at runtime.
Before, all granted permission to an app were identical for all users as
granting is performed at install time. However, the new runtime model
allows the same app running under two different users to have different
runtime permission grants. This change refactors the permissions book
keeping in the package manager to enable per user permission tracking.
The change also adds the app facing APIs for requesting runtime permissions.
Change-Id: Icbf2fc2ced15c42ca206c335996206bd1a4a4be5
Added an overload of getSystemService() that takes a class instead of a
service name to eliminate the extra cast and provide more type safety.
Cleaned up docs.
Removed the default constructor of BatteryManager which should not have
existed.
Change-Id: I9da46b20641fc83ecd3342560e5b94cb721f289c
All but a few lines of this is for issue #16013164, which allowed
apps to do some operations as the media uid by having it call
back to them to open a file. The problem here is with the tempory
identity stuff in the activity manager, allowing us to make the open
call as the original caller... ideally we should figure out a way
to just get rid of all of that, but the solution here is actually
easier (even though it doesn't look it) -- we now hand a token over
to the openFile() call that it can use when doing permission checks
to say "yes I would like the check to be against whoever is responsible
for the open". This allows us to do the uid remapping for only this
one specific set of permission checks, and nothing else.
Also fix issue #17487348: Isolated services can access system services
they shouldn't be able to. Don't send any system service IBinder objects
down for the first initialization of an isolated process.
Change-Id: I3c70e16e0899d7eef0bae458e83958b41ed2b75e
If the creation of an Activity fails, it is impossible to determine what
went wrong. We should log the exception immediately before failing on assert.
Change-Id: Ie6cbe87ff342b8d60989f5e1a6ffa3efc058c585
Currently, Mockito tests don't run on ART (KitKat & L) due to an extra
NoClassDefFoundError exception being thrown while trying to resolve
internal test runner classes. These exceptions are benign, Mockito's
internal test runners all inherit from org.junit.runner.Runner, which is
not included in the setup, but none of them are actually used in tests.
The same apks succeed on Dalvik, and logcat shows the same exceptions
going by, minus the NCDFE's.
Section 5.3 of the VM spec says the virtual machine has to wrap a
ClassNotFoundException in NoClassDefFoundError if the first exception
arises from verification or resolution but not initialization of that
particular class.
Bug: 17042833
Change-Id: I3af20f6884d9fa3afc3fbf9fcb238be10267827a
The motivation is an API change: FloatMath is going to be
deprecated and/or removed. Performance is not the goal of
this change.
That said...
Math is faster than FloatMath with AOT compilation.
While making the change, occurances of:
{Float}Math.sqrt(x * x + y * y) and
{Float}Math.sqrt({Float}Math.pow(x, 2) + {Float}Math.pow(y, 2))
have been replaced with:
{(float)} Math.hypot(x, y)
Right now there is no runtime intrinsic for hypot so is not faster
in all cases for AOT compilation:
Math.sqrt(x * x + y * y) is faster than Math.hypot(x, y) with
AOT, but all other combinations of FloatMath, use of pow() etc.
are slower than hypot().
hypot() has the advantage of being self documenting and
could be optimized in future. None of the behavior differences
around NaN and rounding appear to be important for the cases
looked at: they all assume results and arguments are in range
and usually the results are cast to float.
Different implementations measured on hammerhead / L:
AOT compiled:
[FloatMath.hypot(x, y)]
benchmark=Hypot_FloatMathHypot} 633.85 ns; σ=0.32 ns @ 3 trials
[FloatMath.sqrt(x*x + y*y)]
benchmark=Hypot_FloatMathSqrtMult} 684.17 ns; σ=4.83 ns @ 3 trials
[FloatMath.sqrt(FloatMath.pow(x, 2) + FloatMath.pow(y, 2))]
benchmark=Hypot_FloatMathSqrtPow} 1270.65 ns; σ=12.20 ns @ 6 trials
[(float) Math.hypot(x, y)]
benchmark=Hypot_MathHypot} 96.80 ns; σ=0.05 ns @ 3 trials
[(float) Math.sqrt(x*x + y*y)]
benchmark=Hypot_MathSqrtMult} 23.97 ns; σ=0.01 ns @ 3 trials
[(float) Math.sqrt(Math.pow(x, 2) + Math.pow(y, 2))]
benchmark=Hypot_MathSqrtPow} 156.19 ns; σ=0.12 ns @ 3 trials
Interpreter:
benchmark=Hypot_FloatMathHypot} 1180.54 ns; σ=5.13 ns @ 3 trials
benchmark=Hypot_FloatMathSqrtMult} 1121.05 ns; σ=3.80 ns @ 3 trials
benchmark=Hypot_FloatMathSqrtPow} 3327.14 ns; σ=7.33 ns @ 3 trials
benchmark=Hypot_MathHypot} 856.57 ns; σ=1.41 ns @ 3 trials
benchmark=Hypot_MathSqrtMult} 1028.92 ns; σ=9.11 ns @ 3 trials
benchmark=Hypot_MathSqrtPow} 2539.47 ns; σ=24.44 ns @ 3 trials
Bug: https://code.google.com/p/android/issues/detail?id=36199
Change-Id: I06c91f682095e627cb547d60d936ef87941be692
TouchUtil's drag method tries to sync after sending
each event which is not necessary. Sync are slow so
removing them greatly improves test running time.
Bug: 17323559
Change-Id: Ia4ed02b2af44da0d821d93d28f963005d9d7ea79
Problem:
1. ProviderTestCase2 passes a null as a ProviderInfo to the ContentProvider
2. mAuthority and mAuthorities will be null during the test
3. ContentProvider.matchesOurAuthorities will throw an NPE.
Fix:
Supply a ProviderInfo with authority.
Example bug:
b/17379295
Change-Id: Ia533313c0994727ef81f337a4e31a57ae7ec3c15
Hide KeySet API. Change getKeySetByAlias to not require aliases from the calling
package. Make KeySet parcelable. Add hashCode method.
Bug: 16895228
Bug: 17009318
Change-Id: I75951947dfc7a3cca9f8873bda72576d11abaaf0
The goal of this change is to enable support for appwidget from
user profiles to the user main profile. A user profile is a user
which is associated as a child of the main user profile. For example,
a user may have a personal (parent) and corporate (child) profile.
The device policy should be able to control whether adding a widget
from a child profile and given packages is allowed. This change
assumes that all packages from managed profiles are white listed.
Another change will add the device policy changes.
Change-Id: I267260b55d74c48b112a29979a9f59eef7a8194e
This corrects the expected behavior of the app state. Hidden apps
can be installed by the store to be brought out of hidden state.
Bug: 16191518
Change-Id: Id128ce971ceee99ba1dea14ba07ce03bd8d77335
This provides a directory where apps can cache compiled or optimized
code generated at runtime. The platform will delete all files in
this location on both app and platform upgrade.
Bug: 16187224
Change-Id: I641b21d841c436247f35ff235317e3a4ba520441
Flesh out documentation and finalize first cut of API. Also surface
installLocation and splitNames through PackageInfo.
Bug: 14975160, 15348430
Change-Id: Ic27696d20ed06e508aa3526218e9cb20835af6a0
This is an app-private filesystem space exactly like the one
reported by Context.getFilesDir(), with one exception: files
placed here are never backed up by the full-backup infrastructure.
If an app attempts to back up any of its contents via the normal
API it's immediately ignored with a logged warning.
The restriction is also enforced on the restore side, because
apps using support libraries might wind up creating full backup
archives containing no_backup subdirs on pre-L devices (via
adb backup, Helium, &c.). We check for this before passing the
restore data to the app, and drop it if we detect the situation
so that the app never sees the bits.
Bug 16240573
Change-Id: I11216a391f1d32117ec7ce15aafc9cd93d0337de
So, corporate apps in disambiguation dialogs are badged.
And updating the way we show the icon of the personal space to this new design.
BUG: 14377051
Change-Id: Idc707773a64a8feb2d9d4df88c425d5100542636
In an intent disambiguation dialog from a managed profile,
when the intent can be forwarded to the personal space:
show the icon of the parent next to "Personal apps".
And put it at the bottom of the dialog.
Change-Id: I523222aac5dde9653e784eb26cf23cdaf018b86c
