summaryrefslogtreecommitdiff
path: root/core/java/android/app/AppOpsManager.java
Commit message (Collapse)AuthorAgeFilesLines
* RESTRICT AUTOMERGE Fix READ/WRITE operation access issues on Restricted appOps.Hao Ke2024-08-271-1/+1
| | | | | | | | | | | | | | | Problems were identified around read and write access to the restricted appOps, this change includes: - Filter out restricted appOps status for unprivileged readers. - Allow additional privileged appOps permission holder reading restricted appOps status. Bug: 336273802 Bug: 336323279 Test: Local test see b/336273802#comment3 Test: atest AppOpsTest#testRestrictedSettingsOpsRead (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:e2471e03e471ed701dd1ac0c6c483f82b0dd22d0) Merged-In: I09008b365e36b2c20c9a1fe5a1d52699ddb17d35 Change-Id: I09008b365e36b2c20c9a1fe5a1d52699ddb17d35
* RESTRICT AUTOMERGE Use chain start token in performOpTransactionNate Myren2022-12-141-9/+13
| | | | | | | | Bug: 258672042 Test: atest CtsPermission4TestCases Change-Id: I1d484ed7c72d4ae73f4cbec47522a18ae9088f6e (cherry picked from commit 297388e374f0a1e5b7f52961a81246c2fecb81e6) Merged-In: I1d484ed7c72d4ae73f4cbec47522a18ae9088f6e
* Revert "DO NOT MERGE Add GET_USAGE_STATS to RUNTIME_AND_APPOP_PERMISSIONS_OPS"Nate Myren2022-08-241-1/+0
| | | | | | | | This reverts commit 76718dd9f4dc62368c6b166f360e3f1e64f0f5d9. Reason for revert: b/243646481 Change-Id: I6b200a3269e2a4fd1943c20e3074f19afe46f6dd
* DO NOT MERGE Add GET_USAGE_STATS to RUNTIME_AND_APPOP_PERMISSIONS_OPSNate Myren2022-08-221-0/+1
| | | | | | Fixes: 243182796 Test: atest AppOpDefinitionTest Change-Id: Ib8b1bdff066b2b69a42854ae7cfa652ad8f8b1f4
* Revert "Fix default mode for system alert window on low-RAM device."Jon Spivack2022-05-131-15/+4
| | | | | | | | | This reverts commit 8152335ad4bd6b85e83a912297cc5358c53e7858. Reason for revert: This change caused regression b/230273264 Bug: 230273264 Fixes: 230273264 Change-Id: I041e3a12cc2a0d913e533b8bf414febdf0bf65ec
* Note RECEIVE_AMBIENT_TRIGGER_AUDIO in the SoundTriggerNate Myren2022-05-091-4/+29
| | | | | | | | | | | | This op gets around the background restrictions on RECORD_AUDIO, when used for SoundTrigger detection In addition, moves the precise logic for soundtrigger RECORD_AUDIO checks out of the soundtrigger system Fixes: 230430779 Test: manual Change-Id: I6d63c99e2d31e3f668070ac82afed71ff6672c9e Merged-In: I6d63c99e2d31e3f668070ac82afed71ff6672c9e
* Allow system server uid to bypass location restrictionEvan Severson2022-05-051-9/+14
| | | | | | | | | | | Blocking system server from giving itself location restriction doesn't make much sense. Test: Disable, reboot, observe bootloop, apply patch, build, flash, observe successful boot Bug: 231281927 Change-Id: Ic869da4847e4f39896861f3bf6e83f6f6c76ea62
* Disallow privileged apps to bypass location restrictionEvan Severson2022-04-291-2/+2
| | | | | | | | | | | This bypass was originally allowed to let restricted users who can't use location to pair bluetooth devices. This isn't needed anymore with the bluetooth permissions. Test: Set up restricted profile and pair bluetooth Verify com.android.phone gets rejected Fixes: 230861324 Change-Id: Ib34c0b56ef52f5ee2deceb84b02cd0ff73d8181d
* Add OEM config for enhanced confirmation mode and add restricted read opsRicky Wai2022-04-201-0/+135
| | | | | | | | | | | | | | | | | | | OEM can set the config in config.xml to enable / disable enhanced confirmation mode. And now we only allow apps with manage appops permission to read ACCESS_RESTRICTED_SETTINGS op, so bad apps cannot know if the app is in restricted setting mode Bug: 217711280 Bug: 217709978 Test: atest AppOpsTest#testRestrictedSettingsOpsRead Test: With OEM config on, accessibility page for unknown source app is disabled by default. Test: With OEM config off, accessibility page for unknown source app is not disabled. Change-Id: I6da408306ae43972b7af81c0a3c91bf95e9d6993 Change-Id: I9b79c2edb1341246e75c0d495e3158d370cd7d22
* Rename READ_MEDIA_IMAGE to READ_MEDIA_IMAGESJay Thomas Sullivan2022-03-091-1/+1
| | | | | | | | | | | This permission was only created very recently, and it is unlikely that any apps are using it yet. After its creation, it was decided that it should be renamed. Bug: 223691971 Test: atest CtsPermissionTestCases CtsPermission3TestCases Change-Id: I9c171161e2c60d38c14e167ea7b7b87bf1235e1b
* Fix default mode for system alert window on low-RAM device.Rajeev Kumar2022-02-161-4/+15
| | | | | | | Bug: 219771773 Fixes: 219771773 Test: atest com.google.android.memory.gts.RestrictedFeatureTest#testSystemAlertWindowRestriction Change-Id: I688dc11154383966f83cfdfcd1163a713bb03e61
* Define new AUDIO/VIDEO/IMAGE permissionsJay Thomas Sullivan2022-02-011-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Define three new permissions: - READ_MEDIA_AUDIO: read audio files from external storage - READ_MEDIA_VIDEO: read video files from external storage - READ_MEDIA_IMAGE: read image files from external storage Also, define two new permission groups: - READ_MEDIA_AURAL - READ_MEDIA_VISUAL The permissions are assigned to permission groups as follows: READ_MEDIA_AURAL { READ_MEDIA_AUDIO } READ_MEDIA_VISUAL { READ_MEDIA_VIDEO READ_MEDIA_IMAGE } The motivation for this change is to support the "Media Permission Update for Android T" project. Bug: 201318587 Test: atest CtsPermissionTestCases CtsPermission3TestCases Change-Id: I1539ba4e401dac452e1b9717dc6c95035b28c18e
* Merge "Revert "Define new AUDIO/VIDEO/IMAGE permissions""Jay Sullivan2022-01-311-3/+3
|\
| * Revert "Define new AUDIO/VIDEO/IMAGE permissions"Jay Sullivan2022-01-291-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Revert "Fix PermissionPolicyTest and SplitPermissionsSystemTest" Revert submission 15933906-t-define-media-permissions Reason for revert: caused b/216588046 and b/216453842 Reverted Changes: I79afe120d:Update DefaultPermissionGrantPolicyTest for new pe... I321282b1f:Fix PermissionPolicyTest and SplitPermissionsSyste... If3d357bae:Define new AUDIO/VIDEO/IMAGE permissions Change-Id: I0d4f0eaefc5c29063f517755b4c9b61417a15fd0
* | Merge "Add restricted settings app ops and apply it into Restricted Preference"Ricky Wai2022-01-281-1/+25
|\ \ | |/ |/|
| * Add restricted settings app ops and apply it into Restricted PreferenceRicky Wai2022-01-261-1/+25
| | | | | | | | | | | | Bug: 202130031 Test: Able to compile and boot device successfully Change-Id: I4501cc90c681165e10c82a359f21951856519fd8
* | Define new AUDIO/VIDEO/IMAGE permissionsJay Thomas Sullivan2022-01-181-3/+3
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Define three new permissions: - READ_MEDIA_AUDIO: read audio files from external storage - READ_MEDIA_VIDEO: read video files from external storage - READ_MEDIA_IMAGE: read image files from external storage Also, define two new permission groups: - READ_MEDIA_AURAL - READ_MEDIA_VISUAL The permissions are assigned to permission groups as follows: READ_MEDIA_AURAL { READ_MEDIA_AUDIO } READ_MEDIA_VISUAL { READ_MEDIA_VIDEO READ_MEDIA_IMAGE } The motivation for this change is to support the "Media Permission Update for Android T" project. Bug: 201318587 Test: manual Change-Id: If3d357baed15b66319a6c2308416622e5e57fe28
* Migrate unsafe parcel APIs in framework-minus-apexBernardo Rufino2021-12-151-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Migrate the following unsafe parcel APIs in framework-minus-apex: * Parcel.readSerializable() * Parcel.readArrayList() * Parcel.readList() * Parcel.readParcelable() * Parcel.readParcelableList() * Parcel.readSparseArray() This CL was generated by applying lint fixes that infer the expected type from the caller code and provide that as the type parameter (ag/16365240). A few observations: * In some classes we couldn't migrate because the class also belonged to another build module whose min SDK wasn't current (as is the case for framework-minus-apex), hence I suppressed the lint check (since I'll eventually submit the lint check to the tree). * In some cases, I needed to do the cast in https://stackoverflow.com/a/1080525/5765705 to make the compiler happy since there isn't another way of providing a class of type Class<MyClassWithGenerics<T>>. * In the readSerializable() case, the new API also requires the class loader, that was inferred to by InferredClass.class.getClassLoader(). * Note that automatic formatting and import rely on running hooked up to the IDE, which wasn't the case here. Bug: 195622897 Test: TH passes Change-Id: I11a27b9bdab7959ee86e90aa1e1cbebd7aaf883c
* Copy pointer to sOnOpNotedCallback before queuing dispatchEvan Severson2021-11-231-10/+10
| | | | | | Test: Reproduce with attached test app Fixes: 207324098 Change-Id: I9680c6f574d4355fcc5732c32e2287c5c1ccd4f2
* Add new appOps to track the behavior of VPN app am: e89ec676a4 am: ↵lucaslin2021-11-011-2/+48
|\ | | | | | | | | | | | | | | f050c4f072 am: 071b7b5ed8 am: 6a6fe48094 am: 5a21857ed0 Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1854373 Change-Id: I24beb21c1504901a1e41bfbbb0ca03af878872a5
| * Add new appOps to track the behavior of VPN applucaslin2021-10-261-2/+48
| | | | | | | | | | | | | | | | | | | | | | OPSTR_USE_VPN_SERVICE is used for tracking VPN app which uses VpnService. OPSTR_USE_VPN_MANAGER is used for tracking VPN app which uses VpnManager. Bug: 197135981 Test: TH Change-Id: Idaa262623440c178caf346bca76a72b673235850
| * Add new wifi nearby devices app-opsxshu2021-10-191-1/+15
| | | | | | | | | | | | | | | | | | | | (cherry-picked from internal master) This will be part of nearby devices permission group Bug: 197776854 Test: compiles Change-Id: I6002edfd951322d959cd8f4c7a06381badfd1660 Merged-In: I6002edfd951322d959cd8f4c7a06381badfd1660
* | Add new wifi nearby devices app-opsxshu2021-10-111-1/+15
| | | | | | | | | | | | | | | | This will be part of nearby devices permission group Bug: 197776854 Test: compiles Change-Id: I6002edfd951322d959cd8f4c7a06381badfd1660
* | Create and default grant Notification permissionNate Myren2021-09-221-1/+3
|/ | | | | | | | | Add the POST_NOTIFICATIONS runtime permission, the NOTIFICATIONS permission group, and auto-grant the permission to pre-T apps. Test: manual Bug: 194833441 Change-Id: I3911275d0d1915cf391b915429fb3af9553c84cb
* Merge "Add attribution info to start callbacks" into sc-devNate Myren2021-08-031-3/+57
|\
| * Add attribution info to start callbacksNate Myren2021-08-031-3/+57
| | | | | | | | | | | | | | | | | | | | | | Add attribution flags and chain IDs to start callbacks, and have the PermissionUsageHelper listen for starts. This ensures that, if another start happens while an op is already running, and has chain information, then this chain information will be recorded. Test: manual Bug: 194198234 Change-Id: I0ab1aa0969b70e18001f4a814ea5689f9329a019
* | Revert sync app op chain changesNate Myren2021-08-021-100/+103
|/ | | | | | | | | These changes cause some noted app ops to be swallowed due to one-way app ops. Fixes: 187721493 Test: atest AppOpsLoggingTest Change-Id: I3b761b65b2e06138fc1d130bf80587f8885bb1d5
* Merge "Add OPSTR_RECORD_AUDIO_HOTWORD to TestApi" into sc-devTreeHugger Robot2021-07-031-0/+1
|\
| * Add OPSTR_RECORD_AUDIO_HOTWORD to TestApiNate Myren2021-06-301-0/+1
| | | | | | | | | | | | Test: build Bug: 192506494 Change-Id: If626f07ec4a04da60295f2f1210cb2e9bbd54f88
* | Create "trusted chain" mechanism for AttributionSourceNate Myren2021-06-301-1/+9
|/ | | | | | | | | Add and populate a "trusted" attribution flag, that verifies the attribution sources used to create it were trusted. Fixes: 192270935 Test: atest RuntimePermissionsAppOpTrackingTest Change-Id: Ifd8f825151bec55aa795da7bee0a3069509f5abe
* Create Attribution Chains in HistoricalOpsNate Myren2021-06-231-12/+38
| | | | | | | | | | Add a historical flag to signify that attribution chains should be assembled. Assemble the chains, filter out middle nodes, and attach the last visible node to the start as a proxy info Bug: 158792096 Test: manual Change-Id: I8fbd8f438c62b28fd90039440e86224c624dea79
* Store whether attribution tag is valid separate from bypassErik Wolsheimer2021-06-121-13/+0
| | | | | | | Bug: 189484870 Bug: 190073375 Test: Manual Change-Id: Iccc0e887d28c837a8ef4099af611794590af25c5
* Merge "Switch media fw permissions checks to AttributionSource" into sc-devSvetoslav Ganov2021-06-021-21/+156
|\
| * Switch media fw permissions checks to AttributionSourceSvet Ganov2021-06-011-21/+156
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Attribution source is the abstraction to capture the data flows for private data across apps. Checking permissions for an attribution source does this for all apps in the chain that would receive the data as well as the relevant app ops are checked/noted/started as needed. Teach speech recognition service about attribution chains. If an implementation does nothing the OS would enforce permisisons and do blame as always. This apporach leads to double blaming and doesn't support attribition chains where app calls into the default recognizer which calls into the on device recognizer (this nests recursively). If the implementer takes advantage of the attribution chain mechanims the permissions for the entire chain are checked at mic access time and all apps are blamed only once. Fixed a few bugs around finishing ops for attribution chains. Also ensured that any app death in a started attribution chain would lead to finishing the op for this app bug: 158792096 Test: (added tests for speech reco) atest CtsMediaTestCases atest CtsPermissionTestCases atest CtsPermission2TestCases atest CtsPermission3TestCases atest CtsPermission4TestCases atest CtsPermission5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Merged-In: Ic92c7adc14bd2d135ac13b96f17a1b393dd562e4 Change-Id: Ic92c7adc14bd2d135ac13b96f17a1b393dd562e4
* | Merge "Fix intermittent async noteOps" into sc-devJay Sullivan2021-06-021-15/+1
|\ \ | |/ |/|
| * Fix intermittent async noteOpsJay Thomas Sullivan2021-05-171-15/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This removes the 'sThreadsListeningForOpNotedInBinderTransaction' variable and its usages. I think the intention of this variable was to act as a bloom filter: i.e., "threadId is possibly in set or definitely not in set", but... it's actually only giving us "threadId is possibly in set or possibly not in set". This leads to false negatives, which leads to incorrect behavior. In this case, the incorrect behavior was that noteOps would sporatically turn into async noteOps. This is currently causing a few tests to be flaky: when setting a setOnOpNotedCallback listener, sometimes noteOps code come back sync, sometimes async, and sometimes they get lost in transit. Bug: 187722787 Test: atest --iterations=100 AppOpsLoggingTest#getBTScanResults Change-Id: I26c7b8029ea140d850aba7ec77c691ed9fea76d9
* | Update location bypass allowlistSoonil Nagarkar2021-05-211-3/+4
| | | | | | | | | | | | | | | | | | | | | | Create a new DeviceConfig entry to replace the prior Settings entry on which the location ignore settings allowlist is based. This allows us to allowlist based on attribution tag, and eliminate holes for large applications. Test: manual + CTS + GTS Bug: 187421886 Change-Id: I31e61db79b93e202bd8c66efae1bb5aaf0c88ff5
* | Merge "Avoid a SecurityExcetion crash" into sc-devTreeHugger Robot2021-05-211-0/+13
|\ \
| * | Avoid a SecurityExcetion crashGuojing Yuan2021-05-201-0/+13
| |/ | | | | | | | | | | | | | | | | | | | | 1. Instead of throwing SecurityException, log the error. 2. Set isAttributionTagNotFound to true when the attributionTag is not null but not found in the package attributions. Fix: 188549667 Test: N/A Change-Id: I75a217893353ee5fe5d191e2b78ccf391847adb6
* | Merge "Add OPSTR_PHONE_CALL_* op strings to System API" into sc-devTreeHugger Robot2021-05-211-2/+2
|\ \
| * | Add OPSTR_PHONE_CALL_* op strings to System APINate Myren2021-05-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | The PermissionController needs these ops to display phone calls in the Privacy Dashboard Test: build Bug: 176902658 Change-Id: Ib2a862520a73f3e65eeefd0fcba3843ef9112354
* | | Revert "Create non-bypassable op restrictions"Ocean Chen2021-05-201-11/+1
|/ / | | | | | | | | | | | | | | | | | | This reverts commit a023924afd388a6ca9fa7ec36b99b1de1795c32b. Reason for revert: Test Monitor triggers the test build Bug: 188708756 Bug: 188733943 Change-Id: I2d17d4f77287020953fb559cf98ff8475f32ed1b
* | Create non-bypassable op restrictionsEvan Severson2021-05-191-1/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | Even if the app is privileged or has the audio retriction bypass it can't bypass these restrictions. These will be used for the mic and camera toggles since under no circumstances should sensitive information reach the application layer while the toggles are muting. Test: Verify privileged app couldn't access mic when toggle is blocking Fixes: 188122748 Change-Id: Ib1bad074b3744fd565e8c8ff1c726be91c830d3e
* | Add support for excluding tags from restrictionsSoonil Nagarkar2021-05-141-8/+15
|/ | | | | | | | | Allow user restrictions to provide an excluded map of packages and tags rather than just packages. Bug: 187421886 Test: manual Change-Id: I8f90ba6cdd288068664b352fdb540d0f11fe3dfc
* Merge "Fix a serialization issue in sync op reporting" into sc-devTreeHugger Robot2021-05-071-6/+6
|\
| * Fix a serialization issue in sync op reportingSvet Ganov2021-05-071-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | If the application thread is not ready yet we cannot get the package name and were shrt circuiting which let to leaving the remainder of the payload in the parcel breaking subsequent content reads. bug: 184616098 Test: atest CtsAppOpsTestCases Change-Id: I83f0d74deb87f2b4517d8a4d10b5331c7d41bb89
* | Merge "Fix issues with getHistoricalOps() results overflowing Binder ↵TreeHugger Robot2021-05-061-20/+7
|\ \ | | | | | | | | | connection." into sc-dev
| * | Fix issues with getHistoricalOps() results overflowing Binder connection.Stanislav Zholnin2021-05-051-20/+7
| | | | | | | | | | | | | | | | | | Test: manually tested. Bug: 186193371 Change-Id: I391cb36a86308c89056965a47596707257a2a0af
* | | Merge "Prepare AttributionSource to expose to native" into sc-devSvetoslav Ganov2021-05-051-105/+120
|\ \ \ | |/ / |/| / | |/
| * Prepare AttributionSource to expose to nativeSvet Ganov2021-05-041-105/+120
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Separate the internal state of AttributionSource from the class to make it a simple AIDL we can translate automatically to native - keeping Java and native parts in sync. This would allow writing a thin native lib for checking attribution source permissions which would be used to teach camera and audio about attributions. Deinfe an AIDL interface for passing around an attribution source and opr performing permission checker oprations allowing native and Java permission checks on attribution chains to be handled. The Java side permission checker functions are in a dedicated permisison checker service on top of which sits the PermissionChecker. We expose similar PermissionChecker native APIs sitting on top of the same remote interface. The nice thing is that we have native and Java permisison checkers in sync sharing remoting code and being close in shape. For now the PermissionChecker in Java is divorced from the PermissionManager but in T we will consider how to unify them, either by an extension object on the PermmissionManager or APIs on the PermissionManager, or another approach, and then migrate clients off the PermissionChecker APIs. Sync app ops were not tracked across multiple binder calls which prevents moving the permission checks in the system server as this adds one more hop. Now sync ops are propagated backed the call stack and only the ops for the package are dispatched to it and the rest are propagated back to the caller, recursively. bug: 158792096 Test: atest CtsPermission5TestCases atest CtsAppOps2TestCases atest CtsPermissionTestCases atest CtsPermission2TestCases atest CtsPermission3TestCases atest CtsPermission4TestCases atest CtsPermission5TestCases Change-Id: Ia5cbd2eb20a2da172a5960afdddd7e467f4bcb0d
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-21 00:48:18 +0000