| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This CL is in continuation to ag/16214441 CL and takes care of few review comments which were pending from the media content provider redirection CL.
Bug: 202035750
Test: atest CtsAppCloningHostTest
Change-Id: I408f985d257b03faef9b934acb43dd5c4cbdb508
|
| |
|
|
|
|
|
|
| |
As of now when a clone profile user [android.os.usertype.profile.CLONE] queries any content provider (e.g. media, ...etc), it gets served by the corresponding content provider running in that user space. So, in case of the media content provider, sharing of media items of the owner user space is not possible in the clone profile user space. To facilitate the same, media content provider queries are getting redirected to the owner user space's content provider as a part of this CL.
Bug: 202035750
Test: atest CtsAppCloningHostTest
Change-Id: I09500f86dbd149739422695b6dbd9f1a9717b4e6
|
| |
|
|
|
|
|
|
|
| |
AttributionSource checks calling UID on unparcel (so the check is not
necessary), and some ContentProviders may clear calling identity.
Test: Manual
Fixes: 188755312
Change-Id: If629eea3ba8c1a57fd4b7aff0fec2c0acb5f69be
|
| |
|
|
|
|
|
|
|
|
| |
It'll help to debug content provider related performance issues.
Bug: 190416935
Test: Manual - Record perfetto trace & verify auth name is logged.
Test: CtsContentTestCases:android.content.cts
Test: FrameworksCoreTests:android.content
Change-Id: Ifaa1c58135e6aa2a46ecbba92a9266e7d29d5421
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Attribution source is the abstraction to capture the data
flows for private data across apps. Checking permissions
for an attribution source does this for all apps in the
chain that would receive the data as well as the relevant
app ops are checked/noted/started as needed.
Teach speech recognition service about attribution
chains. If an implementation does nothing the OS
would enforce permisisons and do blame as always.
This apporach leads to double blaming and doesn't
support attribition chains where app calls into
the default recognizer which calls into the on
device recognizer (this nests recursively). If the
implementer takes advantage of the attribution chain
mechanims the permissions for the entire chain are
checked at mic access time and all apps are blamed
only once.
Fixed a few bugs around finishing ops for attribution
chains. Also ensured that any app death in a started
attribution chain would lead to finishing the op for
this app
bug: 158792096
Test: (added tests for speech reco)
atest CtsMediaTestCases
atest CtsPermissionTestCases
atest CtsPermission2TestCases
atest CtsPermission3TestCases
atest CtsPermission4TestCases
atest CtsPermission5TestCases
atest CtsAppOpsTestCases
atest CtsAppOps2TestCases
Merged-In: Ic92c7adc14bd2d135ac13b96f17a1b393dd562e4
Change-Id: Ic92c7adc14bd2d135ac13b96f17a1b393dd562e4
|
| |
|
|
|
|
| |
Bug: 185900460
Test: atest
Change-Id: I72b743affd9c1c47650c4249e855676203033f5e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert "Restore file truncation where expected."
Revert submission 14173486-rwt
Reason for revert: b/186862362 - breaks ContentResolverWrapTest
Reverted Changes:
I41bc298af:Restore file truncation where expected.
Iacec49164:Restore file truncation where expected.
Bug: 186862362
Change-Id: I2afe5e2334cff60c4e7220267095042a60909185
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several years ago ParcelFileDescriptor.parseMode() was fixed to match
the behavior of fopen(), since developers expect consistent behavior
between managed and native code. FileUtilsTest.testTranslateMode()
verifies that all these modes are correctly translated.
However, this unintentionally changed the behavior of
ContentResolver.openOutputStream(), which only sends the 'w' mode
to the remote process. Developers expect this API to behave like
the FileOutputStream constructor, which always truncates the file
unless opened with the append mode.
Since some remote providers may not be prepared to handle the 't'
mode, this change carefully uses Os.ftruncate() to restore this
expected behavior in all cases.
For other APIs that return opened files, this strategy is applied
to restore the original behavior, but only when the target SDK of
the app is expecting this truncation to take place. The reason for
this is that moving forward our goal should always enable
ContentInterface APIs to be a transparent conversation between apps
without attempting to alter the behavior. Apps talking with older
providers can apply the Os.ftruncate() logic themselves, if
desired, once they target Android Q or higher.
Bug: 157888856, 180680924
Test: atest CtsContentTestCases:ContentResolverTest
Change-Id: Iacec49164c4ce3891db0270635e9f458dea7becd
|
| |
|
|
|
|
| |
Bug: 183395239
Test: atest ContentProviderTest
Change-Id: I13c382e7ad4f291de28a52025a8ec4e59d815409
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an app is proxying access to runtime permission protected
data it needs to check whether the calling app has a permission
to the data it is about to proxy which leaves a trace in app ops
that the requesting app perofmed a data access. However, then the
app doing the work needs to get the protected data itself from the
OS which access gets attributed only to itself. As a result there
are two data accesses in app ops where only the first one is a
proxy one that app A got access to Foo through app B - that is the
one we want to show in the permission tracking UIs - and one
for the data access - that is the one we would want to blame on
the calling app, and in fact, these two accesses should be one -
that app A accessed Foo though B. This limitation requires fragile
one off workarounds where both accesses use the same attribution
tag and sys UI has hardcoded rules to dedupe. Since this is not
documented we cannot expect that the ecosystem would reliably
do this workaround in apps that that the workaround in the OS
would be respected by every OEM.
This change adds a mechaism to resolve this issue. It allows for
an app to create an attribution context for another app and then
any private data access thorugh this context would result in a
single app op blame that A accessed Foo though B, i.e. we no longer
have double accounting. Also this can be nested through apps, e.g.
app A asks app B which asks app C for contacts. In this case app
B creates an attribution context for app A and calls into app C
which creates an attribution context for app B. When app C gets
contacts the entire attribution chain would get a porper, single
blame: that C accessed the data, that B got the data from C, and
that A got the data form B. Furthermore, this mechanism ensures
that apps cannot forget to check permissions for the caller
before proxying private data. In our example B and C don't need
to check the permisisons for A and B, respectively, since the
permisisons for the entire attribution chain are checked before
data delivery. Attribution chains are not forgeable preventing
a bad actor to create an arbitrary one - each attribution is
created by the app it refers to and points to a chain of
attributions created by their corresponding apps.
This change also fixes a bug where all content provider accesses
were double counted in app ops due to double noting. While at
this it also fixes that apps can now access their own last ops.
There was a bug where one could not pass null getting the attributed
ops from a historical package ops while this is a valid use case
since if there is no attribution everything is mapped to the null
tag. There were some app op APIs not being piped thorough the app
ops delegate and by extension through the app ops policy. Also
now that we have nice way to express the permission chain in a
call we no longer need the special casing in activity manager to
handle content provider accesses through the OS. Fixed a bug
where we don't properly handle the android.os.shell calls with
an invlaid tag which was failing while the shell can do any tag.
Finally, to ensure the mechanims is validated and works end-to-end
we are adding support for a voice recognizer to blame the client
app for the mic access. The recognition service can create a blaming
context when opening the mic and if the mic is open, which would
do all permission checks, we would not do so again. Since changes
to PermissionChercker for handling attribution sources were made
the CL also hooks up renounced permissoins in the request permission
flow and in the permission checks.
bug:158792096
bug:180647319
Test:atest CtsPermissionsTestCases
atest CtsPermissions2TestCases
atest CtsPermissions3TestCases
atest CtsPermissions4TestCases
atest CtsPermissions5TestCases
atest CtsAppOpsTestCases
atest CtsAppOps2TestCases
Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
|
| |
|
|
|
|
| |
Bug: 179659160
Test: atest ContentProviderTest
Change-Id: I86edc2d4fa0911366a91170819140b274f5d6480
|
| |
|
|
|
|
|
|
|
| |
This CL is basically identical to http://ag/10353234, which
did the same with the sister method, "canonicalize".
Fixes: b/147705670
Test: atest FrameworksCoreTests:android.content.ContentResolverTest
Change-Id: Ide93850f225cdd61779a62fc2c4666efe438b536
|
| |
|
|
|
|
|
|
|
|
| |
These are APIs that have @UnsupportedAppUsage but for which we don't
have any evidence of them currently being used, so should be safe to
remove from the unsupported list.
Bug: 170729553
Test: Treehugger
Change-Id: I4c8fd0006f950de9955242e93968fb0996ceb372
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a third CL in a chain that adjusts existing malformed code
to follow AndroidFrameworkBinderIdentity best-practices.
Specifically, if a thread clears an identity they need to restore it
to avoid obscure security vulnerabilities. In addition, the relevant
"try" block must start immediately after the identity is cleared to
ensure that its restored if/when any exceptions are thrown.
Bug: 155703208
Test: make
Exempt-From-Owner-Approval: trivial refactoring
Change-Id: I74cb958b68d55a647547aae21baff6ddc364859b
|
| |\
| |
| |
| |
| |
| |
| |
| | |
am: cb51202601 am: 6c6e238f23
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1382537
Change-Id: I19ef5e99506ffbb2b7dcb79f72fae92161b77f8b
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
See https://source.android.com/setup/contribute/respectful-code for reference
#inclusivefixit
BUG=162536543
Change-Id: I0ff4f00b9251789820023f25623f3bb9f8a437af
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Existing annotations in libcore/ and frameworks/ will deleted after the migration. This also means that any java library that compiles @UnsupportedAppUsage requires a direct dependency on "unsupportedappusage" java_library.
Bug: 145132366
Test: m && diff unsupportedappusage_index.csv
Change-Id: I6ab53570aca580fbee1fcc927871caa09780f58f
Merged-In: I6ab53570aca580fbee1fcc927871caa09780f58f
|
| | |
| |
| |
| |
| |
| | |
Test: atest FrameworksCoreTests:android.content.ContentResolverTest
Bug: 149184281
Change-Id: Ice6e1207ace7a0cc6b4b8dc1b99da22b13b04031
|
| | |
| |
| |
| |
| |
| | |
Test: atest FrameworksCoreTests:android.content.ContentResolverTest
Fixes: 149184281
Change-Id: Id200748c9d54222aaf669209a43cbaa5675d8331
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Test: atest FrameworksCoreTests:android.content.ContentResolverTest
Fixes: 149184281
Change-Id: If3c33e58b1d0f3b88148eb3d2085c9d23cf12fc2
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have a new ContentProvider.checkUriPermission() method, but we
forgot to add the symmetric ContentResolver.checkUriPermission() to
the public API, and a first-party developer helped identify this
oversight.
Bug: 151165313
Test: atest CtsContentTestCases:android.content.cts.ContentResolverTest
Change-Id: Ic5496b5a6fda14c25cb3752f5af2f71564d003ba
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In the core functionality this changes everything including aidl's and
field names:
- Context
- ContentProvider
- AppOps*
- Package parsing
For the rest, this is a shallow change to only change to the changed
APIs. This keeps the change small-ish
Exempt-From-Owner-Approval: Rename
Fixes: 148792795
Test: TH
Change-Id: I2a2245fe76e09e62cb13d5785d2efb4a304ba54a
Merged-In: I2a2245fe76e09e62cb13d5785d2efb4a304ba54a
|
| | |
| |
| |
| |
| |
| | |
Fixes: b/147699082
Test: atest FrameworksCoreTests:android.content.ContentResolverTest
Change-Id: I2e851839a454ad5eabc981c76774d03b57a1aa09
|
| | |
| |
| |
| |
| |
| |
| | |
Fixes: b/147646960
Test: atest FrameworksCoreTests:android.content.ContentResolverTest
Change-Id: I04c15ac008fe14b215f954af150226dc94f22232
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
I've added this to ContentProvider since it's where all of the existing
hidden logic where userinfo = userid lives.
Bug: 136249261
Test: atest CtsProviderTestCases:android.provider.cts.DocumentsContractTest
Change-Id: I3a815f2c8dd738140aec6937ce0d3b763bf49fba
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adjust Exception to more general Throwable, and add docs for
new ContentResolver and ContentProvider overloads. Also add docs
for default state of strict query options.
Bug: 131598520, 141227540, 147287177
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: Icb0153b8c8a352db39de301074e948bfaa676ddb
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The bulk of the work needed to get MediaProvider building against
the "system_current" SDK surface has been slowly merged over the
last few months, and this change makes the last few adjustments.
This adds a new StorageVolumeCallback which is simpler version of
StorageEventListener that simply delivers the changed StorageVolume.
Move DownloadManager logic into a onMediaStoreDownloadsDeleted()
method which hides the implementation details of how the OS connects
with that implementation.
Make local copies of some ExifInterface parsing logic; they could
be added to the androidx version in an unbundled release. Make a
local copy of RedactingFileDescriptor, since it's only needed for
the next few weeks until FUSE is globally enabled.
Bug: 137890034
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: Ib416eb8724781bdd234c8b7d728dee8b695ad6ac
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Existing annotations in libcore/ and frameworks/ will deleted after the migration. This also means that any java library that compiles @UnsupportedAppUsage requires a direct dependency on "unsupportedappusage" java_library.
Bug: 145132366
Test: m && diff unsupportedappusage_index.csv
Change-Id: I6ab53570aca580fbee1fcc927871caa09780f58f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A few releases ago we added ContentResolver.QUERY_ARG_* constants
to query() as a new best-practice that will help wean us off raw
SQL arguments. (For example, a provider could add their own
custom arguments like QUERY_ARG_INCLUDE_PENDING to cause the query
to reveal pending items that would otherwise be hidden.) This
change expands update() and delete() to accept those arguments.
This change also expand insert() to accept extras too, as part of
preparing to support an upcoming MediaProvider feature that will let
apps place new media "adjacent" to an existing media item. (Sending
that adjacent item through extras is cleaner than trying to send it
through escaped query parameters.)
Bug: 131643582
Test: atest CtsContentTestCases
Change-Id: I436296155b9b5f371b4cbe661feaf42070285fcc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This takes the Context#getFeatureId from the calling context and pipes
it all way through to the noteOp calls done by the content provider.
Bug: 136595429
Test: atest CtsAppOpsTestCases (new test added to capture this case)
TelecomUnitTests:CallLogManagerTest
ContentProviderClientTest
TelecomUnitTests:MissedCallNotifierImplTest
TelecomUnitTests:BasicCallTests
MediaInserterTest
PreferencesHelperTest
RankingHelperTest
PinnedSliceStateTest
FrameworksCoreTests:ContentResolverTest
Change-Id: I53b1035626229c920b353509a5bece157b52fb51
|
| | |
| |
| |
| |
| |
| | |
Bug: 139754067
Change-Id: I3dd0e2c7b08ecf69bcbdab6e146c6fddb7d64783
Test: Manual
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Auto-documentation adds nullability info for parameters in docs. The
manual info about nullability causes confusion and might not always be
up to date so remove it from the ContentProvider docs.
Fixes: 140541978
Test: n/a
Change-Id: I3847bbb35601f516c11370e74dd8b6734c289f68
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Line was too long in previous commit so just updating that fix and
cleaning it up.
Bug: 139554125
Test: atest android.content.ContentProviderTest
Change-Id: Ie63151db35cc47f691b5a4733409c10b1ac4299c
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Bug: 139554125
Test: atest FrameworksCoreTests:android.content.ContentProviderTest
Change-Id: I4a2d78de257cb898b75543dcbfde4b6317b3393f
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| | |
Packages with INTERACT_ACROSS_USERS_FULL can now access
ContentProvier#checkUser.
Bug: 139188114
Test: atest ContentProviderTest
Change-Id: Ie71387a26da66ebe34f296476c284c33abba6368
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Instead of creating a new public API that requires developers to call
it, offer to enable transport logging based on the class name.
Bug: 137890034
Test: manual
Change-Id: Iea2a24310bd100be62a5c525108d17bafe7d11ea
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new MediaProvider design has an internal dynamic security model
based on the value stored in OWNER_PACKAGE_NAME, so the OS always
needs to consult the provider when resolving Uri permission grants.
Blocking calls from the system process like this are typically
discouraged, but this is the best we can do with the limited time
left, and there is existing precident with getType().
For now, use "forceUriPermissions" as a proxy for determining when
we need to consult the provider directly.
Bug: 115619667
Test: atest --test-mapping packages/providers/MediaProvider
Test: atest android.appsecurity.cts.ExternalStorageHostTest
Change-Id: I1d54feeec93fbb4cf5ff55240ef4eae3a35ed068
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The logic in MediaProvider is technically correct, but it's sometimes
inefficient in calling into the OS multiple times with the same
questions, such as validating getCallingPackage().
To mitigate this overhead, and start paving the way for more dynamic
delegation of permission checks, collect these details into a
LocalCallingIdentity object. We carefully perform all permissions
checking against this new object, and avoid using any other
thread-local values from ContentProvider or Binder.
Local tests show this CL improves performance of a test app that
takes 100 rapid shots by 37%.
This change is a no-op refactoring.
Bug: 130758409, 115619667
Test: atest --test-mapping packages/providers/MediaProvider
Change-Id: If250a7675f2246cd10881acf615619d6d6061f3d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds a mechanism for restricting permissions (only runtime
for now), so that an app cannot hold the permission if it is not white
listed. The whitelisting can happen at install or at any later point.
There are three whitelists: system: OS managed with default grants
and role holders being on it; upgrade: only OS puts on this list
apps when upgrading from a pre to post restriction permission database
version and OS and installer on record can remove; installer: only
the installer on record can add and remove (and the system of course).
Added a permission policy service that sits on top of permissions
and app ops and is responsible to sync between permissions and app
ops when there is an interdependecy in any direction.
Added versioning to the runtime permissions database to allow operations
that need to be done once on upgrade such as adding all permissions held
by apps pre upgrade to the upgrade whitelist if the new permisison version
inctroduces a new restricted permission. The upgrade logic is in the
permission controller and we will eventually put the default grants there.
NOTE: This change is reacting to a VP feedback for how we would handle
SMS/CallLog restriction as we pivoted from role based approach to roles
for things the user would understand plus whitelist for everything else.
This would also help us roll out softly the storage permisison as there
is too much churm coming from developer feedback.
Exempt-From-Owner-Approval: trivial change due to APi adjustment
Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.PermissionsHostTest
Test: atest CtsPermissionTestCases
Test: atest CtsPermission2TestCases
Test: atest RoleManagerTestCases
bug:124769181
Change-Id: Ic48e3c728387ecf02f89d517ba1fe785ab9c75fd
|
| |
|
|
|
|
|
|
|
|
| |
Also migrate MediaProvider logging to more general-purpose location
on the ContentProvider.Transport, where we can log exact input/output
values to aid debugging.
Bug: 124347872
Test: manual
Change-Id: I6aba60879ded4e0892d2d1cdd717c23cebaaabd8
|
| |
|
|
|
|
|
|
|
| |
Confirm that invoking methods on DocumentsContract will correctly
be decoded and passed through to a DocumentsProvider instance.
Bug: 123725500, 123660195
Test: atest android.provider.cts.DocumentsContractTest
Change-Id: I16e7da808db83645db06f16a6be2c9575d9a3d06
|
| |
|
|
|
|
|
|
|
| |
This reverts commit e865b9d9bf8c739793aa645e3dca279e0bc22c0f.
Reason for revert: caused b/123709320, also non needed any more
Fixes: 123709320
Change-Id: I2afa0a60133a490ab433cd04dd03a5e26fb3fc14
|
| |
|
|
|
| |
Test: presubmit
Change-Id: I7c0ee96275e8818af5535e789203243ee14659e4
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
A single provider may offer multiple authorities, so we now pass along
the authority being requested. However, we need to validate that the
authority is actually serviced by the provider, similar to what we do
in validateIncomingUri().
Bug: 120673301
Test: atest android.content.cts
Test: atest android.provider.cts
Change-Id: Ia9734a42558ee9d46dc54f7e12b596cf03a520f5
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several @link & @see javadoc directives were malformed, resulting in the
Javadoc code being output to the HTML.
Staged to:
http://go/dac-stage/reference/android/app/slice/Slice.Builder
http://go/dac-stage/reference/android/app/slice/SliceProvider
http://go/dac-stage/reference/android/text/style/ImageSpan
http://go/dac-stage/reference/android/content/ContentProvider
Bug: 120743732
Test: make ds-docs
Change-Id: I589644f8d266a116441409fbdaf7a0c533e0e356
Exempt-From-Owner-Approval: Doc-only change
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Existing APIs that accept a ContentResolver are too restrictive when
the caller has their own ContentProviderClient already bound and
configured, so we're in the market for a solution to open those
existing APIs to accept a wider range of inputs.
The solution we've come up with is to introduce a super-interface
which contains the common ContentProvider APIs, and then make
ContentProvider, ContentResolver, and ContentProviderClient all
implement that interface for consistency.
After this change lands, we can then safely relax existing APIs to
accept this new ContentInterface, offering a clean path to solving
the problem outlined above.
Bug: 117635768
Test: atest android.content.cts
Test: atest android.provider.cts
Change-Id: Ic5ae08107f7dd3dd23dcaec2df40c16543e0d86e
Exempted-From-Owner-Approval: keep tests working
|
| |
|
|
|
| |
Test: ensure noe errors on boot
Change-Id: I44efbf1a52c9c602ce6c9f8ea23b7a4566df27f3
|
