Before all permissions were granted at install time at once, so the user
was persented with an all or nothing choice. In the new runtime permissions
model all dangarous permissions (nomal are always granted and signature
one are granted if signatures match) are not granted at install time and
the app can request them as necessary at runtime.
Before, all granted permission to an app were identical for all users as
granting is performed at install time. However, the new runtime model
allows the same app running under two different users to have different
runtime permission grants. This change refactors the permissions book
keeping in the package manager to enable per user permission tracking.
The change also adds the app facing APIs for requesting runtime permissions.
Change-Id: Icbf2fc2ced15c42ca206c335996206bd1a4a4be5
Required for GTS tests. Needed to relax the restriction that
only root user can run 'pm create-user' as GTS tests can't
get root permissions.
Bug: 17312478
Change-Id: I1841286ddf51756c73018c087a5f29afeb5b9f15
poll() returns immediately; we want to take() to wait for the result
to actually arrive.
Bug: 17510699
Change-Id: I87669e79e9941480fed33e4cc8a38de793d59e90
This ensures that both are using (almost) identical logic when
deciding what installs to proceed with. Installs from "pm" for all
users now run as OWNER, and rely solely on INSTALL_ALL_USERS to
express intent. This keeps install session notifications simple.
Since installer UID can vary from installer package name, start
persisting the UID. Also parse some missing flags for install
sessions.
Bug: 17469392
Change-Id: I6d89b1a787aa2024cc4bebf6b9c29317c358e147
When a user is removed, enumerate through all installed packages
to see if any of them are not installed for any user. Delete the
package if no user has it "installed".
Added a pm option to install an apk for a specific user.
Fixed a crash in UserManagerService when executing the above
cleanup - dying users generate a null UserInfo.
Bug: 15426024
Change-Id: I571decde1ae1c257d0da6db153b896aad6d6bcb4
Sessions can now zero-copy data directly into pre-allocated ASEC
containers. Then at commit time, we compute the total size of the
final app, including any inherited APKs and unpacked libraries, and
resize the container in one step.
This supports both brand new ASEC installs and inheriting from
existing ASEC installs. To keep things simple, it currently requires
copying any inherited ASEC contents, but this could be optimized in
the future.
Expose new vold resize command, and allow read-write mounting of ASEC
containers. Move native library extraction into the installer flow,
since it needs to happen before ASEC is sealed. Move multiArch flag
into NativeLibraryHelper, instead of making everyone pass it
around. Migrate size calculation to shared location.
Separate "other" package name in public API, provide a path to a
storage device when relevant, and add more docs.
Bug: 16514385
Change-Id: I06c6ce588d312ee7e64cce02733895d640b88456
Switch to using IntentSender for results to give installers easier
lifecycle management. Move param and info objects to inner classes.
Bug: 17008440
Change-Id: I944cfc580325ccc07acf22e0c681a5542d6abc43
If an app is installed with an ABI override (adb install -r --abi)
we should remember this so that we don't revert to the scan derived
ABI on the next reboot.
bug: 16476618
Change-Id: I6085bc0099eb613dd9d3b07113c7c13859780697
To resume install sessions across device boots, persist session
details and read at boot. Drop sessions older than 3 days, since
they're probably buggy installers.
Add session callback lifecycle around open/close to give home apps
details about active installs. Also give them a well-known intent
to show session details.
Extend Session to list staged APKs and open them read-only, giving
installers a mechanism to verify delivered bits, for example using
MessageDigest, before committing.
Switch to generating random session IDs instead of sequential.
Defensively resize app icons if too large. Reject runaway
installers when they have too many active sessions.
Bug: 16514389
Change-Id: I66c2266cb82fc72b1eb980a615566773f4290498
Recently we removed the PackageManager inotify triggers, meaning the
only supported ways of installing apps were:
-- adb install -r Foo.apk
-- adb shell stop && adb sync && adb shell start
Iterating on most system apps (like Settings) can use the first
approach, but it doesn't work for "persistent" processes like
SystemUI. (ActivityManager is very particular about how it deals
with persistent apps, and it always sticks with the first
ApplicationInfo found at boot.)
So to enable rapid iteration on persistent apps, we now offer the
one missing piece of forcing a dexopt with a new pm force-dex-opt
command only available to -eng or -userdebug builds. Typical use
for iterating on persistent apps now looks like this:
$ mmm frameworks/base/packages/SystemUI/ && adb sync &&
adb shell pm force-dex-opt com.android.systemui &&
adb shell kill `pid systemui`
Yay!
Change-Id: I0ae2467f1d7cda56c70ba20953cd25fa8ee766ff
This corrects the expected behavior of the app state. Hidden apps
can be installed by the store to be brought out of hidden state.
Bug: 16191518
Change-Id: Id128ce971ceee99ba1dea14ba07ce03bd8d77335
Also track historical install sessions for debugging purposes. Hide
signature verification API for now. Clear code cache only after
killing the app being upgraded.
Bug: 14975160
Change-Id: I52fc7f11d2506f792236d8a365c8cfed21b46c30
Flesh out documentation and finalize first cut of API. Also surface
installLocation and splitNames through PackageInfo.
Bug: 14975160, 15348430
Change-Id: Ic27696d20ed06e508aa3526218e9cb20835af6a0
Oops, forgot to include message argument to invoke the new-style
callback. Also use more robust way of generating cluster APK
directory names, and add more logging details on rename failure.
Change-Id: Ifa8abdd1db58b73e13b9a8077ec126cf20a0d90e
Flesh out implementation of install session observers. Carve out 20%
of published install progress for final system operations such as
dexopt, etc.
Add dumpsys output for active install sessions. Create explicit
fsync() instead of overriding meaning of flush(). Hack to throw
IOExceptions over Binder calls.
Bug: 14975160, 15348430
Change-Id: I874457e40c45d2661bc0a526df9285ffea4bb77c
Instead of surfacing all the existing cryptic error codes, we're
going to classify them into broad categories when surfacing through
public API. This change introduces InstallResultCallback and
UninstallResultCallback, and wires them up to existing AIDL
interfaces.
Also start defining general SessionObserver for apps interested
in general progress details, such as Launcher apps. Details about
active sessions are returned through new InstallSessionInfo objects.
Bug: 14975160
Change-Id: I068e2b0c30135f6340f59ae0fff93c321047f8f9
Separate commands to create an install session, stream files into the
staging area, and then commit the install. Streaming can accept data
from stdin across adb, avoiding extra copy from push.
Extend FileBridge to support blocking close(). Always destroy
session regardless of result.
Bug: 14975160
Change-Id: Ic3f462e7d1901079b785e210228950cdfa676466
The "pm list permissions" command lists detailed information about
each permission on the system, including its label and description,
both of which can be stored as translatable resource strings in APK
files. However, it is possible that the resource identifiers for
these strings point to non-existent resources. When this happens, the
loadText() method throws Resources.NotFoundException, causing the "pm"
command to abort prematurely, simply printing "Killed" to stdout and
a stack trace to logcat.
This commit fixes the crash by explicitly catching the
Resources.NotFoundException exception in loadText() and returning null
if it is thrown. The loadText() method already has the potential to
return null so none of its callers need be modified. This fixes the
crash and simply shows "label:null" and/or "description:null" in the
output if the string resource is missing.
Change-Id: I92273399e1dac6029163750d004940ee1da67428
Introduces new ApplicationInfo fields to surface zero or more split
APKs for an application. Splice these APKs into both the class
loader and resource system. Cleaner building of these paths.
Run dexopt() on all split APKs found after a parse, and populate
into ApplicationInfo.
Change-Id: I4a376bf4492d84ea95aafa866e106ea43a43e492
This allows callers to force an install to a particular
ABI. This is intended only for testing (and CTS) and is
not meant for usage by the installer package.
bug: 14453227
(cherry picked from commit 6431d11cd420536aaa9d93ae510a3151ccc4df1d)
Change-Id: I85d4f8785deea02a6a4d3cb0b05e6ef8bf64826b
This allows callers to force an install to a particular
ABI. This is intended only for testing (and CTS) and is
not meant for usage by the installer package.
Change-Id: Icb1528c0cd35b1aa9323386cb35ff4aaba374fcb
Default is still uninstall for all users, but if --user
is passed in it will just uninstall for that user.
For system apps if --user is supplied it will uninstall
rather than revert to the current system version.
Change-Id: If1be0f78f01391f7ac6b53150dfeeccd0c002899
Rename the related user concept as profiles.
When returning profiles of a user include the
user as a profile of itself.
Change-Id: Id5d4f29017b7ca6844632ce643f10331ad733e1d
...and now fail conservatively when two apps both attempt to define
the same permission. Apps signed with the same certificate are
permitted to redefine permissions.
We also finally have a (hidden) interface class for observing package
installation so that we can now rev the interface without breaking
existing callers.
Bug 13551375
Change-Id: Ifa4e59154dcccbb286ee46a35a6f25e4ad0f0f01
...and now fail conservatively when two apps both attempt to define
the same permission.
We also finally have a (hidden) interface class for observing package
installation so that we can now rev the interface without breaking
existing callers.
Bug 13551375
Change-Id: I3a286d024a30e812ee4b098f345401df3c00e178
Collect related initialized users and start
them on boot and user switch.
Update list users command to show whether a
user is running or not.
Change-Id: Ib3d5debcb01ec55a07d93450b988b0180fc63263
Introduces a new "blocked" state for each package. This is used to temporarily
disable an app via Settings->Restrictions.
PIN creation and challenge activities for use by Settings and other apps. PIN
is stored by the User Manager and it manages the interval for retry attempts
across reboots.
Change-Id: I4915329d1f72399bbcaf93a9ca9c0d2e69d098dd
Adds a platform API, and pm command. Fixes some issues with
dumping per-package data in package manager, makes battery
stats able to dump per-package state.
Change-Id: I76ee6d059f0ba17f7a7061886792b1b716d46d2d
The Activity Manager was not properly informing the observer that
the operation had concluded (unsuccessfully).
Bug 8222595
Change-Id: I8234e32d8edf4112c8c7a5e20e341d0b41e23014
API and preliminary implementation for sharing primary user accounts with a secondary user.
AbstractAccountAuthenticator has new methods to retrieve and apply a bundle of credentials
to clone an account from the primary to a restricted secondary user. The AccountManagerService
initiates the account clone when it starts up the user and detects that the user has
a shared account registered that hasn't been converted to a real account.
AccountManager also has new hidden APIs to add/remove/get shared accounts. There might be
further improvements to this API to make shared accounts hidden/visible to select apps.
AccountManagerService has a new table to store the shared account information.
Added ability in PackageManager to install and uninstall packages for a secondary user. This
is required when the primary user selects a few apps to share with a restricted user.
Remove shared accounts from secondary users when primary user removes the account.
Change-Id: I9378ed0d8c1cc66baf150a4bec0ede56f6f8b06b
Reworking the locking in resources so that we never hold the
state lock while calling in to potential long running operations.
This means the mTmpValue can no longer be final (since we need
to use it while the lock isn't held), so a new field needs to
be added as the lock and everything that touches mTmpValue must
deal with it being null, restoring the value in there when
possible, etc.
Change-Id: Ie5ffd0f66e5f2d0e869a62d72e7a55b1c74fe872
The disabled state allows you to make an app disabled
except for whatever parts of the system still want to
provide access to them and automatically enable them
if the user want to use it.
Currently the input method manager service is the only
part of the system that supports this, so you can put
an IME in this state and it will generally look disabled
but still be available in the IME list and once selected
switched to the enabled state.
Change-Id: I77f01c70610d82ce9070d4aabbadec8ae2cff2a3
Take advantage of this to return better information about
packages filtered by permissions -- include the permissions
they have in the requested array.
Also fix issue #8026793 (Contact picture shows default pic
while searching for a contact in qsb) by using the base
package name of the Context when reporting the app name
of an operation. Otherwise you could make a resource-only
context for another application and do calls through that
and get reported as the wrong app.
Change-Id: I5e0488bf773acea5a3d22f245641828e1a106fb8
