| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
setupBcb() is called before allocating space, if space allocation
failed, we should clearBcb() to properly release resources.
Test: th
Bug: 221001516
Change-Id: Idce67925503cf910ab226b193a4387c32225c0bb
|
| |
|
|
|
|
|
|
|
| |
When installing a non-AB package, if the OS comtains compressed apexes,
we need to allocate space for these apexes so that they can be properly
decompressed on the next reboot.
Test: adb shell cmd recovery install-package /data/ota_package.zip
Change-Id: Ia40d0614e0e724cfb17e91720ec88a15795bd8ee
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The security exceptions in RoR API caused the OTA reboot to stuck.
Since the error isn't related to the input of clients and clients
already have a fallback path; catch and and rethrow the security
exception as an IOException.
Bug: 183475757
Test: OTA falls back to normal reboot upon security exceptions
Change-Id: I359f2f85bd1f0f8734011aa2db24dd7abe0aaa03
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The change including the following items
1. Add error code for armRebootEscrow
2. Fail the armRebootEscrow for mismatching ror providers.
3. clear the escrow data for fatal armRebootEscrow
4. clear the RoR preparation state in recovery system for fatal
armRebootEscrow
Bug: 183140900
Test: atest FrameworksServicesTests:RebootEscrowManagerTests;
atest FrameworksServicesTests:RecoverySystemServiceTest;
Change provider before reboot, reboot-and-apply failed;
Change-Id: I266ea6f2e1c77994d5cc8c2713106c527c4e0722
|
| |/
|
|
|
|
|
|
|
|
|
| |
The clients of resume on reboot want additional information for
reboot failures, so they can handle these failures better.
Therefore expose the reboot failure error code via SystemApi.
Bug: 183646725
Test: atest FrameworksServicesTests:RecoverySystemServiceTest;
Do an RoR with gmscore
Change-Id: Ia02655218194a070ce02e9dae6fd62e19259c9f9
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If the device doesn't have a pin, the current RoR preparation will
go through; but the lskf capture event won't happen. In order not
to confuse the caller, throw an exception instead in the no-pin
case.
Bug: 170664917
Test: remove pin, request RoR with adb shell
Change-Id: Ib04c629234b71e3f6cb36bdfe47759a715a69146
|
| |/
|
|
|
|
|
| |
Bug: 170432460
Test: refactoring CL. Existing unit tests still pass
Change-Id: Ibce939eec341cb9f572d13a33762cc5bc6e2ef42
Merged-In: Ibce939eec341cb9f572d13a33762cc5bc6e2ef42
|
| |
|
|
|
|
|
|
|
|
|
| |
This API isn't aware of slot switch, and shouldn't be used by
phonesky. So we prefer to deprecate it in case new callers use
it accidentally. Also don't allow callers with REBOOT permission
to call it.
Bug: 170664917
Test: build
Change-Id: I540b87fad461cb2c900f3e9d177bb5147abc1a22
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Detailed design in http://go/multi-client-ror. We will reuse most of
the old APIs, and there are a few notable changes
1. Infer the package name from the existing context
2. Remove the unused update token
3. Add the REBOOT permission, so phonesky can hold it.
4. Add a new API for rebootAndApply, which takes a slotSwitch parameter
Bug: 170664917
Test: build
Change-Id: Icb012138bd1789ce03564aa255e5bd4e84374130
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Detailed design in http://go/multi-client-ror. This cl adds internal
states in RecoverySystemService to keep track of multiple RoR
callers. The general principles works as:
1. Each client should call prepare before reboot
2. One client cannot clear the preparation of another client
3. If multiple clients have prepared the update, the subsequent
reboot will be first come, first served.
Bug: 170664917
Test: atest FrameworksServicesTests:RecoverySystemServiceTest
Change-Id: Ic8c7438f8a0300870ceed8857c46425fc0d006b9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
@SuppressLint("Doclava125") is a legacy way of suppressing
RequiresPermission check. Updating to the new style of suppression
so metalava no longer has to support the legacy mode.
sed -i "s/@SuppressLint(\"Doclava125/@SuppressLint(\"RequiresPermission/" \
core/java/android/app/admin/DevicePolicyManager.java \
core/java/android/hardware/hdmi/HdmiControlManager.java \
core/java/android/hardware/location/ContextHubManager.java \
core/java/android/hardware/usb/UsbDeviceConnection.java \
core/java/android/net/TrafficStats.java \
core/java/android/os/RecoverySystem.java \
core/java/android/os/storage/StorageManager.java \
core/java/android/service/persistentdata/PersistentDataBlockManager.java \
location/java/android/location/LocationManager.java \
media/java/android/media/AudioManager.java \
telecomm/java/android/telecom/TelecomManager.java \
telephony/java/android/telephony/CarrierConfigManager.java \
telephony/java/android/telephony/TelephonyManager.java \
wifi/java/android/net/wifi/RttManager.java \
wifi/java/android/net/wifi/WifiScanner.java
Test: make
Exempt-From-Owner-Approval: No-op change
Merged-In: I6d5df95cfca2950ea86872d2f0afc1ba828841dc
Change-Id: I6d5df95cfca2950ea86872d2f0afc1ba828841dc
|
| |
|
|
|
|
|
|
|
|
| |
In response to feedback, remove boolean returns and rely on exceptions
to provide detail descriptions.
Test: make # using a test app that calls the API using old signature
Test: atest FrameworksServicesTests:RecoverySystemServiceTest
Bug: 150205125
Change-Id: I95930078df9c88194f21b38ff7d96b425db47d56
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make obtaining a visual service from non-visual Context instance
report a strict mode violation and print the stacktrace.
Make calling getDisplay() throw an exception if called on an instance
that is not associated with a display. For existing usages introduce
a new internal method that does not perform the verification until
the usages are properly fixed.
Bug: 128338354
Test: StrictModeTest#testIncorrectContextUse_GetSystemService
Test: StrictModeTest#testIncorrectContextUse_GetDisplay
Change-Id: Id25d590eca6e10066e55d7ed6436d3bc9e433beb
|
| |
|
|
|
|
|
|
|
|
|
|
| |
in f/b
Replace the existing usages of now-deprecated API
WindowManager.getDefaultDisplay() with WindowMetrics or
Context.getDisplay() in frameworks/base.
Bug: 128338354
Test: Build, auto test
Change-Id: I02d38a022c5e0e6e9d699f03d35b65d6c8126da9
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.
Bug: 63928581
Test: atest FrameworksServicesTests:RebootEscrowDataTest \
FrameworksServicesTests:LockSettingsServiceTests \
FrameworksServicesTests:RecoverySystemServiceTest \
FrameworksServicesTests:RebootEscrowManagerTests
Test: use fake OTA console app to apply update
Change-Id: I59df6942b27ea2bdd11b757922f5169085a325f0
|
| |
|
|
|
|
|
|
| |
Existing annotations in libcore/ and frameworks/ will deleted after the migration. This also means that any java library that compiles @UnsupportedAppUsage requires a direct dependency on "unsupportedappusage" java_library.
Bug: 145132366
Test: m && diff unsupportedappusage_index.csv
Change-Id: I534e3fd1305e2f4af076986770033478448a665c
|
| |
|
|
|
|
|
|
|
| |
This CL uses getGroupUuid() and isOpportunistic() instead to figure
out whether the subscription is visible or not
Bug: 140768340
Test: Manual
Change-Id: Id7215eabe4e6c47a057b747fdbb3027857f2f12c
|
| |\
| |
| |
| |
| |
| | |
am: 810274ed2d
Change-Id: Ibe6be230b5417cec8428516f6edbead1b0146976
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This changes RescueParty to call vold over binder directly for
Checkpointing related calls. It turns out that if the system is in a bad
enough state, the other method would not work, as some of the services
required would not be running.
Bug: 135558798
Test: setprop persist.sys.enable_rescue 1
setprop debug.crash_system 1 or setprop debug.crash_sysui 1
vdc checkpoint startCheckpoint 3
stop
start
Device should go through the rescueparty flow, and reboot.
Repeat without checkpoint. Device should prompt reboot.
Change-Id: I8b11d68075cc291e9557d524bc87b54d17b370e4
|
| |/
|
|
|
|
|
| |
Bug: 132360644
Test: E2E
Change-Id: Ic4e58ed7c8cf5892d8f49605e268c3d131b35ea9
(cherry picked from commit 1854f47f80e5eafaa56d688658550cc19f85f3c1)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
"Make RescueParty not wipe if checkpointing" contained an incorrect
return statement, causing the last level of RescueParty to not execute
if checkpointing is not active. This fixes that error
Test: setprop persist.sys.enable_rescue 1
Set device to not commit checkpoints
adb shell setprop debug.crash_sysui 1
adb shell stop
adb shell start
Rescue Party causes wipe prompt
Bug: 131721345
Change-Id: I9376020355b80a4e830e6884b92ade9ad11dc8ee
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we're checkpointing, we can roll back instead of wiping. If the
update was the problem, we will succeed. Otherwise, RescueParty will
catch the issue again and prompt the wipe later
Test: setprop persist.sys.enable_rescue 1
Set device to not commit checkpoints
vdc checkpoint StartCheckpoint 3
reboot
adb shell setprop debug.crash_system 1
adb shell stop
adb shell start
Rescue Party causes reboot instead of wipe
repeat without checkpointing to get wipe
Change-Id: Iba0263214baa7a0c3d5565b4393d03f975d8000a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For packages:
android.os
This is an automatically generated CL. See go/UnsupportedAppUsage
for more details.
Exempted-From-Owner-Approval: Mechanical changes to the codebase
which have been approved by Android API council and announced on
android-eng@
Bug: 110868826
Test: m
Change-Id: I4ece0a3f37f88fc2508cb965092aed7cabc61819
|
| |
|
|
|
|
|
|
| |
More information will be useful to investigate unintentional wipe
for users. Added timestamp information into reason text.
Bug: 120586954
Change-Id: I26dd4eff815d736bf34e944be6843cbb80515ca9
|
| |
|
|
|
|
|
|
|
|
| |
Move the report for non-A/B metrics to the native code in
recovery-persist. We will also handle the report of sideload
status for all devices there.
Bug: 114278989
Test: check the metrics report from recovery-persist.
Change-Id: I856f2f301a9d42979d0b207294cdf5d51d7e1e3f
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When we show the option to users to allow them decide whether they want
to keep eSIM profiles during FDR, we remove erasing eSIM profiles from
CompleteBootService. So there is no need to call
EuiccManager#retainSubscriptionsForFactoryReset again. And when we don't
show this option to users, we will always erase eSIM profiles with
isWipeEuicc equals to true.
Bug: 67500470
Test: E2E
Change-Id: Ide4ee5fbfd4b2aadc78071f8ecb8e0424a37db44
|
| |
|
|
|
|
|
|
|
|
| |
This function is used to wipe the eSIM profiles from eUICC card which
should not only be called from FDR and also from the network reset. This
CL changes it to hide public API.
Bug: 62961867
Test: TBC
Change-Id: I1d716763720e9a2c897b9e85f95bab562fe150e2
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a revert of change I414a16cde11e76ccc390e7a63a6803f5b402fe78.
As an additional safety latch, we bypass all logic (either wipe or
retain) if the eSIM has never been provisioned. An unprovisioned eSIM
cannot possibly have profiles - indeed, we don't show the "Wipe eSIM"
checkbox in this case - so there's no reason to tell the LPA to retain
them.
Bug: 63693573
Test: TreeHugger + factory reset local test
Change-Id: I1fea50db317388e81823bf1bd0977ffe787a05e0
|
| |
|
|
|
|
|
|
|
|
| |
This seems to be causing users who elect not to wipe their eUICC on a
factory reset to end up on the eSIM slot after the reset instead of
the pSIM slot.
Bug: 63693573
Test: TreeHugger + factory reset local test
Change-Id: I414a16cde11e76ccc390e7a63a6803f5b402fe78
|
| |
|
|
|
|
|
|
|
|
| |
Factory reset of eSIM failed due to the euiccWipeFinishReceiver cannot
be registered by the context directly. This CL changes the context to
application context to solve this problem.
Bug: 63610700
Test: E2E
Change-Id: I7e4c8b75b5b5b4203efd7302677ffa5cf00198b5
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This CL reverts the implementation of eSIM factory reset in
MasterClearReceiver and uses RecoverySystem#rebootWipeUserData to erase
eSIM data. Besides this, when the eSIM data isn't erased, we should call
EuiccManager#retainSubscriptionsForFactoryReset to let the fastboot know
that.
Bug: 62957212
Test: TreeHugger
Merged-In: I08ab9d53ec4fc73a65e8e7d0c39ac95b2d44d012
Change-Id: I08ab9d53ec4fc73a65e8e7d0c39ac95b2d44d012
|
| |
|
|
|
|
|
|
|
|
| |
Add a new flag in the DevicePolicyManager so that we can Use
EuiccManager#eraseSubscriptions(PendingIntent) to erase all the carrier data
from eUICC chip if the user choose to "ERASE" from the Android device manager.
Bug: 37277944
Test: E2E
Change-Id: Ia78090a00d956c645725be4fd591e02ded8ec467
|
| |\
| |
| |
| |
| |
| | |
am: c1406978a4
Change-Id: I305967cad945a807c3f8234efabaad0ef8b591d1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most @SystemApi methods should be protected with system (or higher)
permissions, so annotate common methods with @RequiresPermission to
make automatic verification easier.
Verification is really only relevant when calling into system
services (where permissions checking can happen on the other side of
a Binder call), so annotate managers with the new @SystemService
annotation, which is now automatically documented.
This is purely a docs change; no logic changes are being made.
Test: make -j32 update-api && make -j32 offline-sdk-docs
Bug: 62263906
Change-Id: I2554227202d84465676aa4ab0dd336b5c45fc651
|
| |\|
| |
| |
| |
| |
| | |
am: d9417c53e0
Change-Id: I0b2b42d95d739701a367bd5d25bebbd64d033ad0
|
| | |
| |
| |
| |
| |
| | |
Bug: 34201965
Test: follow instructions in https://docs.google.com/document/d/1RjvUGRi_Ys5-BRoJz6_SnixuipFiF-GAs6CNc7w-Qj0/edit and use fake-ota
Change-Id: I540f86cf11746faefc25bc74319512eba6d0d783
|
| |\ \
| |/
|/|
| |
| |
| |
| |
| | |
2db2f6d265 am: c2a0d6776c
am: 1b0da0cdfd
Change-Id: I967edc50dff44d830e475b94678c0194a379dba1
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Read and report the error_code & cause_code from last_install.
Bug: 36866437
Test: mma & observe the sysui event in logcat -b events
Change-Id: I5357861fc758e14ed3235bfc8cc76d7561ccea58
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
Bug: 32518487
Test: mma
Change-Id: I00494aff91b473ae54eff8d56910198f88083d40
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Switch the locale argument from Locale.toString() to
Locale.toLanguageTag(). The new format is more readable and less error
prone.
Bug: 35215015
Test: recovery processes sr-Latn correctly
Change-Id: I47e1cf54434cb841652d4b259e0e829104fb19a2
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Hook up to android.os.VintfObject.verify().
Bug: 36592877
Test: Flash on marlin; verify with package that has and doesn't have
compatibility.zip entry.
Change-Id: I4e73fa42f4e3fd2e1c5ffec2ffa6152538d62eee
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This CL extends the existing API RecoverySystem.verifyPackage() to
verify the compatibility entry in an OTA package. It returns true
directly if such an entry doesn't exist. Otherwise it reads and passes
the contents to VintfObject to perform the verification.
This CL also adds a new system API
RecoverySystem.verifyPackageCompatibility() to verify a given
compatibility zip file. It extracts all the entries and passes them to
VintfObject.verify() to verify the package compatibility. This API is
for streaming A/B OTAs only, where we don't download the full package
but only needed entries.
Bug: 36592877
Bug: 36596980
Test: RecoverySystem.verifyPackage() returns the same result for
packages w/o a compatibility entry.
Change-Id: I038be672868a91820c045d1da100e8e33b23d442
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
022682a721
am: 998c554463
Change-Id: I12a0f4c5fb768bdaa3a4baa4fa5bd7964b80110e
(cherry picked from commit d580a85b20a57984a3cb77685f5a10af8e2f2506)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
032c7a0a18 am: 1cd3a93288
am: bc0865bc78
Change-Id: I65bc4945d0701ecc10fd41f827c4566dfea912f9
(cherry picked from commit ee45a1f3abd50a7451cfd7b6d7e48b778021bac5)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It sometimes needs to launch OEM-supplied apps for processing, so make sure
it continues to do so.
Bug 34587823
Test: verified dispatch via logcat/dumpsys
Change-Id: Ic80e06582116cdd629492ed01a9b05b0e1b3822e
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When a device gets stuck in a crash loop, it's pretty much unusable
and impossible for users to recover from.
To help rescue devices from this state, this change introduces a new
feature that watches for runtime restart loops and persistent app
crash loops, and escalates through a series of increasingly
aggressive rescue operations. Currently these rescue levels walk
through clearing any experiments in SettingsProvider before finally
rebooting and prompting the user to wipe data.
Crash loops are detected based on a number of events in a specific
window of time. App stats can be stored in memory, but boot stats
need to be stored in system properties to be more robust.
Start up RecoveryService much earlier during the boot so we can
reboot into recovery when needed.
Add properties tha push system_server or SystemUI into a crash loops
for testing purposes.
Test: builds, boots, forced crashing walks through modes
Bug: 24872457, 30951331
Change-Id: I6cdd37682973fe18de0f08521e88f70ee7d7728b
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 9f7a0acd2d383b825bcdcbef25d6b42f9875acfe.
Bug: 34350643
Bug: 34396955
Test: installPackage() doesn't cause deadlock if it doesn't call
processPackage() prior to that.
Change-Id: I1da055c86a3326ae341da1b4d5dc79ab4be256fb
|
