You can now control the range of target SDKs that receivers
will be need to have in order to receive your broadcast.
Use this for CONNECTIVITY_ACTION to not allow N+ applications
to receive these broadcasts through their manifest.
Also tweak the broadcast debug output code to now include the
disposition of each receiver in the list. This is becoming
important as skipping receivers is becoming a more common
thing to have happen.
Change-Id: I251daf68575c07cbb447536286ab4e68b7015148
Rename APIs to reflect that they're storage-related. Also move
credential-storage APIs to be system API.
Return a null Context when device-encrypted storage isn't
supported. This is the easiest way to keep legacy apps working when
upgrading from M to N.
Reduce strictness of path checking so we don't crash when working
with special packages like "android".
Bug: 22358539, 26104027
Change-Id: I38c24fc003488186210a6ae3b64270f86e1efe56
There are far too many Context APIs with special directory paths
to replicate device-encryption versions of them all. Instead, add
methods to clone a Context that explicitly stores its data in either
credential- or device-encrypted storage.
Methods to test the behavior of a given Context.
Bug: 22358539
Change-Id: I6a6290a9b282605ce9a1f82742fc2c4c50536754
Add APIs for an ephemeral app to set a cookie which is a small
peice of data cached longer than the app itself. This is useful
for avoiding the user to login every time they use the ephemeral
app. The cookie is stored after an ephemeral app is uninstalled.
Normal apps or ephemeral apps upgraded to full apps can also use
these APIs with the difference that once they are uninstalled
the cookie is deleted.
The cookie size defaults to 16KB and is configurable by a global
settings which can be adjusted via gservices. Also eviction policy
is time based with a default of one month and is configurable by
a global setting which can be adjusted via gservices. If the cert
of the app cahnges (when ephemeral is installed, uninstalled and
installed again) the cooke is wiped to prevent data leaks.
This cahange also adds an API for apps to know whether they run in
an ephemeral mode since it this mode some APIs will not be available.
Another API exposed by this change is private for the system and
exposes all ephemeral apps - installed and uninstalled. Only the
system can call this API. When an ephemeral app is uninstalled the
system stores its name, icon, and permissions. When the app is
reinstalled or a full version is installed the permissions are
propagated.
Change-Id: Id4a73a7750bfbabda0bfcb9bf9018d2062e94367
Needed for apps that want to migrate SharedPreferences from CE to DE
storage. Note that a device will only ever enter a CE mode with a
factory reset, so apps should only be using these APIs when they
want to migrate files to a consistent location on non-FBE devices
for simplicity.
Bug: 25503089
Change-Id: Ic846215da1617d116a048e036415ac7ad523b770
Needed to support storage of SharedPreferences on both credential-
encrypted and device-encrypted storage paths.
Bug: 22358539
Change-Id: I576b696951b2a9de817d5be63d31b06f7e166a19
With some core classes moved to separate core-oj jar
we need to use the new jar.
(cherry-picked from f898cda2f499b14f92bc7fb75f44110cdec7654f)
Change-Id: Ica148f11bcc77f57d22944ff78c501611a293167
Define two explicit directories where device-encrypted and
credential-encrypted data will be stored. Third-party apps only
need access to the device-encrypted directory, so that's the only
API exposed for now.
General cleanup in how ApplicationInfo details are derived.
Bug: 22358539
Change-Id: If0a0108721a4aa1c3052b4912e08604bbf24e1ae
Add methods installPackageAsUser and installExistingPackageAsUser
and deletePackageAsUser and getPackageInfoAsUser.
BUG:23516394
Change-Id: I15e30d2ec45ab18c7f8c0ac02cfc617c50fedb44
This reverts commit 3b0fc3cf24e1fecdbc11808483c2109415ebfdd2.
It breaks the build. I had missed other places that extend PackageManager.
Change-Id: Iff012ed4ec8d2d32821586eca85fce55ae67f5b5
Add methods installPackageAsUser and installExistingPackageAsUser
and deletePackageAsUser and getPackageInfoAsUser.
Change-Id: I9a3ff96f968b4f8d21a57cc7760679628d35c1a9
BUG:23516394
We now place whoever is receiving the MMS on the temporary
whitelist while doing so, so they can get network access to
download it.
There was also an issue that needed to be fixed where we
were no longer updating the list of allowed uids while
dozing based on their proc states... we now do that.
Also did a bit of optimization of the temp white list update
path do the network policy manager, instead of going through
a broadcast we now directly call in to the network policy
manager. This also allows us to have a synchronous version
of updating the list, so we can know the app has network access
before we tell it to do anything.
Finally added battery stats events for things going on and off
the whitelist so we can diagnose the behavior there.
Change-Id: Ic7fe010af680034d9f8cb014bb135b2addef7455
Added Context.sendBroadcastMultiplePermissions(Intent intent, String[]
receiverPermissions) method, which allows an array of required permissions
to be enforced.
Bug: 21852542
Change-Id: I27c9130e8f004b428452501ebc8a36aabde1f343
Added Context.sendBroadcast(Intent intent, String[] receiverPermissions)
method, which allows an array of required permissions to be enforced.
Bug: 21852542
Change-Id: I3b8ff258fa9f3249c344bb8093b820b24eef00c0
- Get rid of obsolete annotations in MediaInserterTest.
- Drop support for @BrokenTest and @SideEffect. Nobody uses
SideEffect and none of the tests that use this test runner
(vm-tests-tf, essentially) use @BrokenTest.
Change-Id: Id73c4d4eda8031689f9263c85b563c29e635d446
Issue #21814207: AlarmManager.setAndAllowWhileIdle should also allow wake locks.
Introduce a whole new infrastructure for providing options when
sending broadcasts, much like ActivityOptions. There is a single
option right now, asking the activity manager to apply a tempory
whitelist to each receiver of the broadcast.
Issue #21814212: Need to allow configuration of alarm manager parameters
The various alarm manager timing configurations are not modifiable
through settings, much like DeviceIdleController. Also did a few
tweaks in the existing DeviceIdleController impl.
Change-Id: Ifd01013185acc4de668617b1e46e78e30ebed041
We now maintain a mata-state with each permission in the form of flags
specyfying the policy for this permission. This enables support of the
following use cases:
1. The user denies a permission with prejudice in which case an app cannot
request the permission at runtime. If an app requests such a permssion
it gets a denial unless the user grants the permission from settings.
2. A legacy app with disabled app-ops being upgraded to support runtime
permissions. The disabled app ops are converted to permission revocations.
The app ops manager is a part of the activity manger which sits on top
of the package manager, hence the latter cannot have a dependency on the
former. To avoid this the package installer which is the global
permission managment authority marks the permission as revoked on
upgrade and the package manager revokes it on upgrade.
3. A device policy fixing a permission in a granted or revoked state. This
additional information is folded in the meta-state flags and neither
apps can request such permissions if revoked not the user can change
the permission state in the UI.
Change-Id: I443e8a7bb94bfcb4ff6003d158e1408c26149811
Since package and primary storage movement can take quite awhile,
we want to have SystemUI surface progress and allow the Settings
app to be torn down while the movement proceeds in the background.
Movement requests now return a unique ID that identifies an ongoing
operation, and interested parties can observe ongoing progress and
final status. Internally, progress and status are overloaded so
the values 0-100 are progress, and any values outside that range
are terminal status.
Add explicit constants for special-cased volume UUIDs, and change
the APIs to accept VolumeInfo to reduce confusion. Internally the
UUID value "null" means internal storage, and "primary_physical"
means the current primary physical volume. These values are used
for both package and primary storage movement destinations.
Persist the current primary storage location in MountService
metadata, since it can be moved over time.
Surface disk scanned events with separate volume count so we can
determine when it's partitioned successfully. Also send broadcast
to support TvSettings launching into adoption flow.
Bug: 19993667
Change-Id: Ic8a4034033c3cb3262023dba4a642efc6795af10
Since packages can be moved to other volumes, all relevant commands
to installd now require an explicit volume UUID parameter.
Bug: 20275577
Change-Id: Ie84f5bc43c7aada5800b8d71692c7928b42b965e
The READ_PHONE_STATE permission protects PII information and
is in the Phone group. This change is adding the corrseponding
app op for gating access to the API guarded by READ_POHNE state
which will be used instead as an access control for legacy apps.
Change-Id: I2ff895a5a0e529f26ec0ad706266a30d829268ba
Add API to determine the possible candidate volumes that a package
can be moved to. For example, it currently knows that we need to
move ASEC-based apps through internal storage before migrating them
to a private volume.
Comparator for consistent VolumeInfo ordering when displayed in UI.
Fix native library symlink to be volume UUID aware.
Bug: 19993667
Change-Id: I68d5fac5f0f776ac1c7dd15e7a984bfe2704f3f7
- add private PackageManager APIs for setting/getting the default
Browser App package name
- serialize / deserialize the default Browser App package name per User
Also relax the Hosts name validation for the AppLinls feature. Now we
just care if the IntentFilter is having an HTTP or HTTPS scheme.
Change-Id: I4436f66ac6beff57e14f7f3a2a00b0b582c03be9
- add private API PackageManager.getAllIntentFilters(String)
for getting all IntentFilters from a given package
- update IntentFilterVerificationInfo to use an ArrayList<String>
for domains instead of a String[]
- if you make an App a default domain handler then make the
others as non default
- create an IntentVerificationInfo even if the App IntentFilters
do not need to be verified. This would be done only if the App
has some domain URLs defined and would allow to make it the
default handler for a domain
- a few code optimizations here and there
Change-Id: I4535372a0bb1a2c8e662e1485be8ca700003e9b3
PackageManager now offers to load/unload packages when expanded
volumes are mounted/unmounted. Expanded storage volumes are still
treated as FLAG_EXTERNAL_STORAGE from a public API point-of-view,
but this change starts treating the INSTALL_EXTERNAL flag as
exclusively meaning ASEC containers.
Start tracking the UUID of the volume where a package is installed,
giving us a quick way to find relevant packages. When resolving an
install location, look across all expanded volumes and pick the one
with the largest free space. When upgrading an existing package,
continue preferring the existing volume. PackageInstaller now knows
how to stage on these volumes.
Add new movePackage() variant that accepts a target volume UUID
as destination, it will eventually move data too. Expose this
move command through "pm" command for testing.
Automount expanded volumes when they appear.
Bug: 19993667
Change-Id: I9ca2aa328b9977d34e8b3e153db4bea8b8d6f8e3
The purpose of this feature is to prompt the Disambiguation dialog
to Users as less as possible.
- add the new "autoVerify" property to the IntentFilter class
- add new APIs to PackageManager:
verifyIntentFilter(int, int, List<String>),
getIntentVerificationStatus(String, int),
updateIntentVerificationStatus(String, int, int),
getIntentFilterVerifications(String)
for supporting IntentFilter verification
- add support for multi-user
- update PackageManager for IntentFilter verification:
basically when we are installing a new package, ask for verification
of all domains from the IntentFilters that have the "autoVerify" to true.
This means that the PackageManager will send a well defined protected
broadcast (with a new INTENT_FILTER_NEEDS_VERIFICATION action) to
an IntentFilter verifier to do the real job of verification.
We are passing in the broadcast Intent all the necessary data for
doing the verification. The PackageManager will receive as response
the result code of the domain verifications and, if needed, the list
of domains that have failed the verification.
- add a new INTENT_FILTER_VERIFICATION_AGENT permission that needs to
be set by an intent filter verifier to be considered as a trustable
party by the PackageManager.
- add also a new BIND_INTENT_FILTER_VERIFIER permission for securing
the binding between the PackageManager and a service doing the
intent filter verifications.
- add ResolveInfo filterNeedsVerification which is a boolean
to knows if the IntentFilter is of a type that needs a verification
(action VIEW, category BROWABLE, HTTP/HTTPS data URI)
- add new "domain-preferred-apps" / "d" dump command for listing the
prefered Apps for all domains
- add new "intent-filter-verifiers" / "ivf" command for listing the
IntentFilterVerifier used
- introduce the IntentVerificationService which is a basic service
for verifying IntentFilters. This service will send HTTPS requests
to the domain declared in the IntentFilter(s) for doing the
verification. This service has a low priority level so that it
can be replaced by a more sophisticated one if needed. This service
is updating the PackageManager intent verification states thru
the updateIntentVerificationStatus(...) API.
- update MockPackageManager
Change-Id: I0bfed193d0bf1f7c7ac79f6c1b160b7ab93b5fb5
Before all permissions were granted at install time at once, so the user
was persented with an all or nothing choice. In the new runtime permissions
model all dangarous permissions (nomal are always granted and signature
one are granted if signatures match) are not granted at install time and
the app can request them as necessary at runtime.
Before, all granted permission to an app were identical for all users as
granting is performed at install time. However, the new runtime model
allows the same app running under two different users to have different
runtime permission grants. This change refactors the permissions book
keeping in the package manager to enable per user permission tracking.
The change also adds the app facing APIs for requesting runtime permissions.
Change-Id: Icbf2fc2ced15c42ca206c335996206bd1a4a4be5
Added an overload of getSystemService() that takes a class instead of a
service name to eliminate the extra cast and provide more type safety.
Cleaned up docs.
Removed the default constructor of BatteryManager which should not have
existed.
Change-Id: I9da46b20641fc83ecd3342560e5b94cb721f289c
All but a few lines of this is for issue #16013164, which allowed
apps to do some operations as the media uid by having it call
back to them to open a file. The problem here is with the tempory
identity stuff in the activity manager, allowing us to make the open
call as the original caller... ideally we should figure out a way
to just get rid of all of that, but the solution here is actually
easier (even though it doesn't look it) -- we now hand a token over
to the openFile() call that it can use when doing permission checks
to say "yes I would like the check to be against whoever is responsible
for the open". This allows us to do the uid remapping for only this
one specific set of permission checks, and nothing else.
Also fix issue #17487348: Isolated services can access system services
they shouldn't be able to. Don't send any system service IBinder objects
down for the first initialization of an isolated process.
Change-Id: I3c70e16e0899d7eef0bae458e83958b41ed2b75e
