summaryrefslogtreecommitdiff
path: root/core/java/android/provider/DocumentsProvider.java
Commit message (Collapse)AuthorAgeFilesLines
* Runtime permission attribution improvementsSvet Ganov2021-03-291-28/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an app is proxying access to runtime permission protected data it needs to check whether the calling app has a permission to the data it is about to proxy which leaves a trace in app ops that the requesting app perofmed a data access. However, then the app doing the work needs to get the protected data itself from the OS which access gets attributed only to itself. As a result there are two data accesses in app ops where only the first one is a proxy one that app A got access to Foo through app B - that is the one we want to show in the permission tracking UIs - and one for the data access - that is the one we would want to blame on the calling app, and in fact, these two accesses should be one - that app A accessed Foo though B. This limitation requires fragile one off workarounds where both accesses use the same attribution tag and sys UI has hardcoded rules to dedupe. Since this is not documented we cannot expect that the ecosystem would reliably do this workaround in apps that that the workaround in the OS would be respected by every OEM. This change adds a mechaism to resolve this issue. It allows for an app to create an attribution context for another app and then any private data access thorugh this context would result in a single app op blame that A accessed Foo though B, i.e. we no longer have double accounting. Also this can be nested through apps, e.g. app A asks app B which asks app C for contacts. In this case app B creates an attribution context for app A and calls into app C which creates an attribution context for app B. When app C gets contacts the entire attribution chain would get a porper, single blame: that C accessed the data, that B got the data from C, and that A got the data form B. Furthermore, this mechanism ensures that apps cannot forget to check permissions for the caller before proxying private data. In our example B and C don't need to check the permisisons for A and B, respectively, since the permisisons for the entire attribution chain are checked before data delivery. Attribution chains are not forgeable preventing a bad actor to create an arbitrary one - each attribution is created by the app it refers to and points to a chain of attributions created by their corresponding apps. This change also fixes a bug where all content provider accesses were double counted in app ops due to double noting. While at this it also fixes that apps can now access their own last ops. There was a bug where one could not pass null getting the attributed ops from a historical package ops while this is a valid use case since if there is no attribution everything is mapped to the null tag. There were some app op APIs not being piped thorough the app ops delegate and by extension through the app ops policy. Also now that we have nice way to express the permission chain in a call we no longer need the special casing in activity manager to handle content provider accesses through the OS. Fixed a bug where we don't properly handle the android.os.shell calls with an invlaid tag which was failing while the shell can do any tag. Finally, to ensure the mechanims is validated and works end-to-end we are adding support for a voice recognizer to blame the client app for the mic access. The recognition service can create a blaming context when opening the mic and if the mic is open, which would do all permission checks, we would not do so again. Since changes to PermissionChercker for handling attribution sources were made the CL also hooks up renounced permissoins in the request permission flow and in the permission checks. bug:158792096 bug:180647319 Test:atest CtsPermissionsTestCases atest CtsPermissions2TestCases atest CtsPermissions3TestCases atest CtsPermissions4TestCases atest CtsPermissions5TestCases atest CtsAppOpsTestCases atest CtsAppOps2TestCases Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
* Merge changes from topic "sep11" am: c0b288133a am: 69e6f07347 am: ↵Jeff Sharkey2020-09-151-1/+1
|\ | | | | | | | | | | | | | | 741c0a78cc am: da7478b570 am: 487d394296 Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1426195 Change-Id: Id01f468b43fd5b2aada78608010625b392c1b647
| * Update language to comply with Android's inclusive language guidanceJeff Sharkey2020-09-141-1/+1
| | | | | | | | | | | | | | | | | | See https://source.android.com/setup/contribute/respectful-code for reference Test: none Bug: 168334533 Exempt-From-Owner-Approval: docs updates Change-Id: Ifce5239991e3b78dd4757712e3b88093ad7161f0
* | Validate user-supplied URIs in DocumentsProvider callsAbhijeet Kaur2020-09-021-7/+18
| | | | | | | | | | | | | | | | | | Some URIs are used without validating their authorities which can lead to exploitation by malicious apps. Bug: 157294893 Test: Manual using test app in b/157294893 Change-Id: I799509ed5ff7e69140e84d796fe7f96d9dbfd32f
* | Validate user-supplied tree URIs in DocumentsProvider callsAbhijeet Kaur2020-08-261-5/+12
|/ | | | | | | | | | Currently we only validate DocumentsContract.EXTRA_URI, this change validates other URIs suchs as DocumentsContract.EXTRA_TARGET_URI and DocumentsContract.EXTRA_PARENT_URI as well Bug: 157320716 Test: Manually using the test app in b/157320716#comment1 Change-Id: I90fd1e62aa7dc333bf32eb80ccc5b181a1d54e41
* Merge "Revert "Check Read permissions when getDocumentMetadata"" into pi-dev ↵Kevin Chyn2020-05-071-2/+0
|\ | | | | | | | | | | am: 3d599fd941 am: c1f5869518 am: 38691f7626 Change-Id: I2179cb6e443d25c859ab6c433b11aec63153f256
| * Merge "Revert "Check Read permissions when getDocumentMetadata"" into pi-dev ↵Kevin Chyn2020-05-071-2/+0
| |\ | | | | | | | | | | | | | | | am: 3d599fd941 Change-Id: I18eb6c4cd9c42f3cc1d1051b47aafeeffb6b0c16
| | * Revert "Check Read permissions when getDocumentMetadata"Kevin Chyn2020-05-071-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | This reverts commit c94646177cbc86b07e9572ea88ab94ae8c235375. Reason for revert: 155930637 Change-Id: Id452d316d1c1721fce715474df009ebe0fb719e8
| * | Merge "Check Read permissions when getDocumentMetadata" into pi-dev am: ↵Diksha Gohlyan2020-05-061-0/+2
| |\| | | | | | | | | | | | | | | | 4371baafc1 Change-Id: Ib242d6ed7ff376a71f85a03aa06f2c0453638310
| | * Check Read permissions when getDocumentMetadataDiksha Gohlyan2020-05-051-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | Test: manually tested Bug: 151095863 Change-Id: I4f04f08f76d039196c2c67bac80d4a46ebec87f2 (cherry picked from commit 0e7580995549134aa765bf7b891c0ede73d9f0d0)
* | | Check Read permissions when getDocumentMetadataDiksha Gohlyan2020-04-021-0/+2
| | | | | | | | | | | | | | | | | | | | | Test: not tested Bug: 151095863 Change-Id: I4f04f08f76d039196c2c67bac80d4a46ebec87f2
* | | Rename featureId -> attributionTagPhilip P. Moltmann2020-03-121-25/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In the core functionality this changes everything including aidl's and field names: - Context - ContentProvider - AppOps* - Package parsing For the rest, this is a shallow change to only change to the changed APIs. This keeps the change small-ish Exempt-From-Owner-Approval: Rename Fixes: 148792795 Test: TH Change-Id: I2a2245fe76e09e62cb13d5785d2efb4a304ba54a Merged-In: I2a2245fe76e09e62cb13d5785d2efb4a304ba54a
* | | Note with featureId from ContentProviderPhilip P. Moltmann2019-10-291-14/+28
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This takes the Context#getFeatureId from the calling context and pipes it all way through to the noteOp calls done by the content provider. Bug: 136595429 Test: atest CtsAppOpsTestCases (new test added to capture this case) TelecomUnitTests:CallLogManagerTest ContentProviderClientTest TelecomUnitTests:MissedCallNotifierImplTest TelecomUnitTests:BasicCallTests MediaInserterTest PreferencesHelperTest RankingHelperTest PinnedSliceStateTest FrameworksCoreTests:ContentResolverTest Change-Id: I53b1035626229c920b353509a5bece157b52fb51
* | Updated API docs.Jeff Sharkey2019-03-081-4/+6
| | | | | | | | | | | | Bug: 121324710 Test: manual Change-Id: I79eabd16bb87428800e5654f117227160b496132
* | Update Nullability of ApisIvan Chiang2019-03-061-5/+8
| | | | | | | | | | | | | | | | | | | | | | Update Nullability of apis in DocumentsContract, DocumentsProvider. Test: make Change-Id: Icc81333707bbeb9fe6d410ee35ade761e2d3b254 Fix: 126700626 Fix: 126702360 Fix: 126700352
* | Merge "Add new column into Root to get the supported query args"Ivan Chiang2019-01-231-0/+1
|\ \
| * | Add new column into Root to get the supported query argsIvan Chiang2019-01-211-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | DocumentsContract: - Add @Public column Root#COLUMN_QUERY_ARGS - Update java doc DocumentsProvider: - Update java doc FileSystemProvider & ExternalStorageProvider - Add supported query args into Roots Bug: 121234248 Test: manual Change-Id: Ia944200ee1a44d75c9ad683564218e3d0dcef885
* | | Add nullability annotations for some apis and update java docIvan Chiang2019-01-221-3/+8
|/ / | | | | | | | | | | | | | | | | - Add nullability annotations for some methods - Update the java doc of isRootsUri to make it more clear Change-Id: I8b065d526e11fe8d71bb1aec223918e7559967e0 Fix: 122549058 Test: make
* | Expose @SystemApi and @Public for unbundling DocumentsUIIvan Chiang2018-12-051-2/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | 1. Expose @Public for query arguments and flags. 2. Expose @SystemApi for related manageMode apis and some related storage flag in Root. 3. Add new isChildDocument method to support ContentResolver parameter and expose it @Public. 4. Expose @Public for getDocumentMetadata related methods. Bug: 117634543 Test: make, make api-stubs-docs-update-current-api, Change-Id: Ib172d46ba9727c35277fb285d3a09380fe106697
* | Add query argument QUERY_ARG_EXCLUDE_MEDIAIvan Chiang2018-12-051-0/+1
| | | | | | | | | | | | | | | | | | | | Use the argument to decide whether the files that have been added to MediaStore should be excluded. If the value is true, exclude them. Otherwise, include them. Bug: 119390918 Test: manual Change-Id: I245e4303a265a95b30400083841c593b66c4d960
* | Extend DocumentsContract search to accept mime typesIvan Chiang2018-11-141-23/+54
| | | | | | | | | | | | | | | | | | | | | | | | 1. Add the key of query arguments and match method in DocumentsContract. 2. Implement new querySearchDocuments method in DocumentsProvider, ExternalStoragProvider and FileSystemProvider. Bug: 111786939 Test: Manual Test Change-Id: I04e9f2be971f10ac1e9584a3486c948aaddea0a4
* | Merge "Add a more flexible queryRecentDocuments" am: 627441218dRisan2018-11-011-2/+38
|\ \ | |/ |/| | | | | | | am: a366edd78d Change-Id: Ib746205cd82634d0d7b821db94c8316e8260689c
| * Add a more flexible queryRecentDocumentsRisan2018-10-311-2/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing queryRecentDocuments have a hard limit 64. However, case like ARC++ wishes to have a more flexible limit that can be passed as an extra parameter. This new API will gracefully degrade to the old API to maintain backward compatibility with old providers. Bug: 111288304 Test: manual test (patched the MediaDocumentsProvider, and test calling the new API): 1. Test that passing Bundle with QUERY_ARG_LIMIT=5 is honored and returned is limited to 5. 2. Test that passing null will release the limit to default 64. 3. Test that removing MediaProvider implementation for new method and implement the old method will automatically redirect the call to old method (backward compatible with old providers). Change-Id: I37b1785b94f3e9cf09128fbf1e8779a4447fe7a9
* | docs: fixed instances of typo in 'overridden'kopriva2018-09-131-11/+11
|/ | | | | | | | | | | | | | This affects several files beyond those mentioned in the bug. I didn't fix some instances because the files had code problems that blocked presubmit checks. Test: make ds-docs Bug: 37094741 Change-Id: I642f0384fef2b267ebc970bae1b4fb90bae667e7 Exempt-From-Owner-Approval: Docs-only change
* Add metadata support to MTP docs provider.Steve McKay2017-08-021-26/+0
| | | | | | | | | Remove convenience method from DocumentsProvider, clients to use MetadataReader directly. Concentrate mimetype checking in MetadataReader.isSupportedType. Update FileSystemProvider to use MetadataReader directly. Test: Updated mtp tests. Other functioanlity manually verified. Change-Id: Ie1e3d3092b53107f6c980c18b1451290dd2a9653
* Remove "tags" arg from getDocumentMetadata.Steve McKay2017-07-271-6/+6
| | | | | | | It didn't lend it self naturally to the multi-metadata return type and was complicating further adoption of the feature in system providers. Test: manual Change-Id: I2dde59c7e9609a205614f715c7383b653fa83111
* Move stream based EXIF support to DocsProviderSteve McKay2017-07-211-1/+28
| | | | | | | | | @hide for now. Basically any client with stream for a file (advised to be local resource) can get standard metadata. In FileSystemProvider, include METADATA SUPPORTED flag for image files. Bug: 63893154 Test: build and test interactively. Change-Id: Idc6fecd53625b108647d66a45ac115a945a1083c
* Add provider support for metadata extractionJulian Mancini2017-07-191-2/+10
| | | | | | | | | | | In this CL, I'm adding ability to retrieve image metadata. I've added the class MetadataRetriever that can currently retrieve Exif data from an image. This class is used withing FileSystemProvider in order to return a given image's exif data. Test: Hidden API Bug: 62621970 Change-Id: Ibb329492df4db1a65f65722c6a52582c43de8fe5
* Specify behavior around DocumentsProvider#openDocument().Garfield Tan2017-05-161-2/+6
| | | | | | | | Add supported modes and contracts on receiving unsupported modes. Test: Builds. Bug: 11279339 Change-Id: I8c403f6168baadb354813d4c1e630bb8662ddb34
* Merge "Unhide FLAG_SUPPORT_EJECT and related methods."TreeHugger Robot2017-03-241-8/+11
|\
| * Unhide FLAG_SUPPORT_EJECT and related methods.Garfield Tan2017-03-231-8/+11
| | | | | | | | | | | | Test: Builds and CTS tests pass. Some manual tests as well. Bug: 36483910 Change-Id: Idd9b1c9d9573222ee12127044ff11b9ab2487f0a
* | Introduce AuthenticationRequiredException, and @hideBen Lin2017-03-221-68/+52
|/ | | | | | | | | RecoverableSecurityException. Test: CTS tests in changes in same topic. Bug: 36482356 Bug: 36482258 Change-Id: I44b3407746006d8709e4a3f3ca2950c61fa0be95
* Stop DocumentsContract from consuming Exceptions if app is targetting OBen Lin2017-03-101-4/+77
| | | | | | | | or above. Test: Builds properly. Bug: 36023174 Change-Id: I455d358672f35fbeb5678c965b25268229ed4882
* Address comments from API council.Garfield Tan2017-03-021-3/+10
| | | | | | | Test: Code builds and tests pass. Also some manual tests around ESP. Bug: 35813037 Bug: 35812990 Change-Id: Ia9d3a3964e9a83d0c1c08e5db4c2e231504aa99a
* Don't mark query+cancellationSignal final.Steve McKay2017-01-241-1/+11
| | | | | | Bug: 34517733 Test: None. Change-Id: Iff281c676b928859c0e2e975d9f0cfabb36479d9
* Add Web Links API to framework.Tomasz Mikolajewski2017-01-191-0/+37
| | | | | | Test: CTS in a separate CL. Bug: 30152711 Change-Id: Ia256422d50110d6adcd1984f6481ab825dbf30b1
* Add structured sort data to ContentResolver.query.Steve McKay2017-01-111-5/+82
| | | | | | | | | | | Update DocumentsProvider to override ContentProvider#query(Uri, String[], Bundle, CancellationSignal); Added an otherwise unneeded import to pass doc check on DocumentsProvider. Bug: 30927484 Change-Id: I295c21f53901d567455286f22439f21d22a8a25a Test: Build and run. Test from DocsUi.
* Update API documentation about virtual files.Tomasz Mikolajewski2016-12-091-0/+4
| | | | | | | | To say that virtual files must have at least one streamable type. Test: None Bug: 33463773 Change-Id: I9094686cb95ee0af1c01b2bf88550cd3bbfe572d
* Unhide findPath() API. Add JavaDoc to related features.Garfield Tan2016-11-031-5/+0
| | | | | | | | | | Also remove comments that disallow folders in search results. Test: It builds. Bug: 30948740 Bug: 32512923 Change-Id: I72706b69163aa98ee9568939e09e5048b6e8f9f8
* Iteration on findDocumentPath() API.Garfield Tan2016-11-011-7/+7
| | | | | | | Rename findPath() to findDocumentPath() per comment in ag/1588156. Bug: 30948740 Change-Id: I84ef4d9c0ed1f854e0e33f3552a1805b944c2791
* Iteration on findPath API. Address Jeff's comment in ag/1542773.Garfield Tan2016-10-281-6/+12
| | | | | | | | | | * Add @Nullable to rootId in Path constructor. * Erase rootId if findPath() doesn't return null rootId. * Use Log.wtf() instead of throwing. Bug: 30948740 Change-Id: I38354c5ac49aaa7e31a3ae56cd3379ffb19918c9 (Cherry picked from commit 04fdf6e18c97c2bf6ed58f8de9ba6723fa8c1613)
* Iteration on findPath API.Garfield Tan2016-10-141-24/+60
| | | | | | | | | | | * Extend this API to take tree URI * Add toString(), equals() and hashCode() to Path * Address Jeff's comments in ag/1513538 * Add unit tests for findPath Bug: 30948740 Change-Id: Iaf852d0e40fae37623e9bb9ffa1c6fbe334c1b21 (cherry picked from commit d4ab7ade7171a4382ef4f61f2a5f078a17800e83)
* Add findPath API to SAF.Garfield Tan2016-10-061-0/+29
| | | | | | | Implement it in ExternalStorageProvider. Bug: 30948740 Change-Id: I1b7717a794ae3892cd1be5ed90ca155adf9a64f4 (cherry picked from commit 51efc73f3f341393cf93f71604be791205021b69)
* Revert "DO NOT MERGE ANYWHERE: Add findPath API to SAF."Garfield Tan2016-10-061-29/+0
| | | | | | This reverts commit 2f6d0d6db3af4451ae209a07c7dd7ee089cc5653. Change-Id: I0b8581c6d5edb2a47ddfb75afaaa52c43964087b
* DO NOT MERGE ANYWHERE: Add findPath API to SAF.Garfield Tan2016-10-051-0/+29
| | | | | | | | Implement it in ExternalStorageProvider. Bug: 30948740 Change-Id: I03241cdfa561ef2fc0a0b829c9a59ad845e8f844 (cherry picked from commit 51efc73f3f341393cf93f71604be791205021b69)
* Docsui-level work for implementing Eject on Roots list.Ben Lin2016-07-081-13/+17
| | | | | | | | | 1. Added Eject Icon for Roots that support eject 2. Added Context Menu for RootsFragment (Settings and Eject) Bug: 29584653 Change-Id: I97f582de05763e3f0327bc0d2dc6d4e2222e047c (cherry picked from commit d96661f8b0f613b40f2bdfc178bbe06022b5f76c)
* Provider-level changes for implementing direct eject of a root in Files app.Ben Lin2016-06-291-1/+18
| | | | | | | | | | | | | Several changes at different levels: 1. Introduction of ejectRoot(String) for DocumentsProvider 2. Introduction of ejectRoot(ContentResolver, Uri, String) for DocumentsContract 4. Additional permission for MOUNT_UNMOUNT for ExternalStorageProvider 5. Implementation of ejectRoot(String) for External StorageProvider Bug: 29584653 Change-Id: I28557af63259548784cf24d5b051eb06ad5193ca (cherry picked from commit 2ccc18357d6741dde56edc4d5a2608f15f4b9078)
* Merge "Implement getDocumentStreamTypes() in DocumentsProvider." into nyc-devTomasz Mikolajewski2016-02-171-0/+69
|\
| * Implement getDocumentStreamTypes() in DocumentsProvider.Tomasz Mikolajewski2016-02-151-0/+69
| | | | | | | | | | | | | | | | | | | | | | | | According to the documentation, getStreamTypes() must return all streamable MIME types. This CL takes the MIME types from COLUMN_MIME_TYPE as long as the document is not virtual. If the provider implements converters, then it should override getDocumentStreamTypes. Bug: 27156282 Change-Id: I9ab149e097600a470fc9be8f1270f68929fdf851
* | Remove unused return in DocumentsProvider.removeDocument.Tomasz Mikolajewski2016-02-151-1/+1
|/ | | | | | | It's not used anywhere. Exceptions should be thrown on an error. Bug: 27113305 Change-Id: I9d549169e177004597f136776c6763c93101c0c4
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 23:19:50 +0000