This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
We've messaged since the N release that file:// Uris are going away,
and we've been crashing those apps via StrictMode for many years.
The broader storage changes in Q mean it's finally a good time to say
we only handle content:// items.
Bug: 123212933
Test: none
Change-Id: I69a791468c4bcf45b0022cf52264e78f94bfdeae
Obtain the correct admin and dialog information when a restriction prevents the
user from installing apps from unknown sources.
Bug: 118881180
Test: atest com.android.server.devicepolicy.DevicePolicyManagerTest
Change-Id: I8112aaca64f85d421ee1029edc5c47909e31f12f
This reverts commit 38ea50c63e8a031a6430d26b1f5b561402007243.
Revert and clean up merge conflicts. The checkbox which asks
to remove app data is still here
Fixes:112002130
Test: Build and check that the correct box is gone
atest CtsPackageUninstallTestCases
Change-Id: I47d8632d2fca360c02151ad54a4b927a5c2801f1
If an app declares that is has flagile user data, all the user to choose
to keep the app-data on uninstall.
Test: Unistalled apps that set the new flag and app that did not.
Verified that the KEEP_DATA flag was set when checkbox was
clicked.
Change-Id: I032fb21854352bbc175934ae5eb68a1430b1d403
Fixes: 117578306
Apps might have contributed files. During uninstall the files are
usually left on the system. To avoid filling up the storage we allow the
user to delete the files during uninstall.
Bug: 112002130
Test: Uninstalled an app that contributed files
Change-Id: I7e71ed524055bdda91ce9e66f995540363ceb229
I am not sure if .bp files already allow creating google-signed variations, hence go back to .mk file.
Test: Built + Booted on taimen-eng
Change-Id: I4b413d18eec07a1f84050693a7b8a97b51fa3270
and "install app notification"
Bug: 111214100
Test: CTS test will be submitted with flag enabling commit
Change-Id: I604d75dc48e09039619f571d418a700106cbdd5d
Bug: 114719061
Test: builds, installed the app and verified visually
TL;DR;; when main icon is rendered, there's no guarantee that the icon
will be rendered in 48dp view. For the inset to be applied proportionally,
percentage should be used instead of static dp unit.
Change-Id: Iacfcf7a5a2aa430c70c5db7c803267cf7eb5ad45
InstallStart was reading sessionInfo whenever the starting intent had
the extra EXTRA_SESSION_ID. This could happen even if an external app
inserted a valid session id into its own REQUEST_INSTALL_PACKAGE intent.
This allows apps to potentially spoof the calling package.
Test: Existing tests pass:
atest GtsPackageInstallTestCases GtsNoPermissionTestCases \
GtsNoPermissionTestCases25
Bug: 112031362
Change-Id: Icdab1deeaf6b0afe7a61709cd87305336c467e33
Also add a special API to set them. Internally they are still just
regular private flags
Test: Built
Bug: 116798569
Change-Id: I687b751fa18c7fbcc9bf95aa44d94d8a5614a88f
The android.content.pm.PackageInstaller install + uninstall APIs are
fully functional. No need to try to keep the intent based APIs
feature compatible.
In the future we will be able to restrict app targeting old targetSDK
levels from using the intent-based API. Even further in the future we
can radically simplify the package installer app.
Fixes: 116616700
Test: Built
Change-Id: Ia225d70fbee3fa31a3c1de388dcb05ff1063dccd
This adds a new framework user restriction that can be used by the DPC
to block installs from unknown sources on all profiles of a device.
Test: Manual test, disallowing installs in TestDPC disables installing
unknown sources apps.
Bug: 111335021
Change-Id: Ib9fb672c5e5dea2ac63bf8cbd1b04484b12b4056
Since the installation involves a user visible UI, set the
appropriate reason. This ensures that the app icon is added
on the homescreen.
Test: Installed an apk using the files app
Bug: 65473379
Change-Id: I5032e31fc7615a63c2630687bc81e663f2286d59
Now system will send an explicit new app installed broadcast
to PackageInstaller.
Bug: 111214100
Test: Able to receive broadcast when new app is installed
Change-Id: I0242f992fd06cc148554bc46d6119c897e03432c
To make sure the dialog does not change height a single content for all
steps of the sequence. We just unhide the view that should actually be
shown.
Also added a night-mode theme.
Test: Manually uninstalled, installed and update package.
atest CtsNoPermissionTestCases
CtsNoPermissionTestCases25
CtsPackageInstallTestCases
CtsPackageUninstallTestCases
CtsPackageInstallerTapjackingTestCases
Change-Id: I890bb1f2697df3af87b6cb65e460f611334523ee
(this icon is shown when e.g. Google Drive shows the package installer
as a "share" target.)
Test: Looked at icon in settings
Change-Id: I856832b4eb5b417c0a2e6bc7cab699011cf46075
- remove unnecessary androidx dependency
- Move OverlayTouchActivity to base package as this app does not deal
with permissions anymore.
Test: Built
Change-Id: I055ac287f480e9ba47c54333e7994efe87648f1b
The two components were mostly independant for a long time. Since
I1e80a3f5e63d02b3859ecf74af21ca4c61f96874 the installation flow does
not grant any permissions anymore and the last connection between these
parts was broken.
The new app "com.android.packageinstaller" in
frameworks/base/packages/PackageInstaller will only handle (side load)
package installtion and uninstallation.
The exisiting app will be renamed to "com.android.permissioncontroller"
and only handle permission granting and permission management.
This change does only minimal cleanup cleanup. In particularly it does
not move any files in the old permissions controller. This is to not
disturb other features currently in development.
This change set also updates the make files to install the two apps on
the appropriate devices.
Further the permisson policy xmls need to be updated to point to the
right packages.
Test: Installed + uninstalled packages
Granted permissions + managed permissions
GtsPackageInstallTestCases
GtsNoPermissionTestCases
GtsNoPermissionTestCases25
GtsPackageInstallerTapjackingTestCases
GtsPackageUninstallTestCases
Change-Id: I2d3796b837fc0049e712c82a990907f305c8febf
No code modifications done yet so that it will be clear what code
changed.
Test: Does not build. requires later change
Change-Id: If0c0be70555808424d214ba6627a3042666925ed
