| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
BluetoothAdapter#closeProfileProxy
Tag: #feature
Bug: 15083918
Test: Manual
Change-Id: Ia46dc4e50d42dbd574588b531045cb680aa09d94
|
| |\| |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
deprecated method in Preconditions class" into sc-dev am: 8699bf3099 am: fd52c53382
Original change: https://googleplex-android-review.googlesource.com/c/platform/frameworks/base/+/14969973
Change-Id: Iba795e20a3d3999b8ed85a9f19e85529d9d203c8
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
instead of deprecated method in Preconditions class
Tag: #feature
Bug: 190767948
Test: Manual
Change-Id: Ie7f7282b89c13f587fdfe1bf3288eb4a3c7dcc6e
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This is very simple API to allow Android to connect VCP profile.
Bug: 150670922
Test: compilation
Sponsor: jpawlowski@
CTS-Coverage-Bug: 190833351
Change-Id: Ib20d967fcf6797077abf83b40b0eda526e5ab89d
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since developers can use a BluetoothDevice object can make remote
calls, it needs to have an accurate AttributionSource. Previous CLs
had updated many places where these BluetoothDevice instances were
passed across Binder interfaces, but this change updates several
remaining locations which had been missed.
Introduces new "Attributable" marker interface to offer consistent
tooling when applying AttributionSource updates.
Bug: 187097694
Test: atest BluetoothInstrumentationTests
Change-Id: Icad3b9726591f0fbad58a493cefa5a0af7648280
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
accepts null input and returns an int (with error codes).
Update CompanionDeviceManager#canPairWithoutPrompt to take a
UserHandle instead of an int. Adds BluetoothStatusCodes class for all
new Bluetooth error / success codes. Moved OOB and hci disconnect
constants to the new BluetoothStatusCodes class.
Tag: #feature
Bug: 184714087
Test: atest BluetoothDeviceTest#test_setAlias_getAlias
Change-Id: Ife03506f2cf68800f5824cb5fa94fec8aa34a39c
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When users revoke a runtime permission, they expect all interactions
to be blocked, including those protected by the BLUETOOTH_PRIVILEGED
permission.
This change finishes applying that policy to any remaining Bluetooth
APIs which didn't already implement it. To keep the implementation
straightforward, this change does "data delivery" checks when
registering for callbacks; the ideal behavior would be to wait
until data is actually delivered through the callbacks, but
RemoteCallbackList doesn't have support for AttributionSource yet.
Bug: 186405452
Test: atest BluetoothInstrumentationTests
Change-Id: Idd7be143eb8baff020a0718065293baae708041b
|
| |\ \ \
| |/ /
|/| /
| |/
| |
| |
| |
| | |
am: 79578466f4
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1686315
Change-Id: I00dc7f393edb9b562c97147d053302159c12fcdb
|
| | |
| |
| |
| |
| |
| |
| | |
Bug: 185603183
Test: Compiles, test app works
Tag: #feature
Change-Id: I52636769f50f50b5ad2d135f54472bdeb1c25ee5
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
unhide @SystemApi callback methods
Bug: 178007935
Tag: #feature
Test: compiles
Change-Id: I2d4167a6c92ee0cc24da12df206838161c8f3318
Merged-In: I2d4167a6c92ee0cc24da12df206838161c8f3318
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
CTS-Coverage-Bug: 184395281
Bug: 178007935
Tag: #feature
Test: manual
Change-Id: I5bc11ac13d9cbb8f76f422aa4aea8295ebec95b4
Merged-In: I5bc11ac13d9cbb8f76f422aa4aea8295ebec95b4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Wires up AttributionSource across the remaining long-tail of
Bluetooth AIDL interfaces, ensuring that developers can accurately
make calls chained back to a specific Context.
Moves "for data delivery" permission checks to happen in a single
location on each interface to ensure they're performed consistently
with the new AttributionSource arguments. Note that "for data
delivery" isn't the best name; it's designed to represent that the
requested action was performed and should result in the relevant
appop being noted for the caller.
This change has the positive side effect of ensuring that all
interfaces are consistently enforcing the BLUETOOTH_CONNECT
permission, even in the case where BLUETOOTH_PRIVILEGED is also
required; this is what ensures that revoking the "Nearby devices"
permission takes effect for all callers.
Additionally, standardizing on enforcing permissions closer to the
AIDL entry point reduces the need for @RequiresPermission annotations
to be carried around inside the Bluetooth stack.
Bug: 183626112
Test: atest BluetoothInstrumentationTests
Change-Id: I8023dda654e325b8bfa2f0cdb994ad63a2b429d4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
To prepare for future work which will plumb AttributionSource values
through all remaining AIDLs, we need profiles to interact directly
with the specific BluetoothAdapter they were created from. This is
how we'll ensure that the relevant AttributionSource can be chained
down from the original Context they're obtained from.
This change also marks getDefaultAdapter() as deprecated to clearly
communicate that BluetoothManager.getAdapter() is the best-practice
path to obtaining a correctly scoped BluetoothAdapter instance.
Bug: 183626112
Test: atest BluetoothInstrumentationTests
Change-Id: I1e15170d7679019bbb6e396279d6e633e3dad4d6
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds attribution source to BT method calls. This is now
required to allow the app ops for the new BT permissions
(BLUETOOTH_CONNECT, BLUETOOTH_ADVERTISE, and BLUETOOTH_SCAN)
to be noted.
Bug: 183626112
Test: atest BluetoothInstrumentationTests
Change-Id: I81598553b762e491d6364064a2e1ef41dec89bf9
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previous CLs had started passing AttributionSource values across
Binder calls inside BluetoothDevice instances, but this can cause
confuse the permission check logic in the future; we should instead
always aim to use the AttributionSource closest to the app making
the call, instead of parceling it.
This change also improves logging to highlight when we're quietly
treating a permission as denied, and when a UID is mismatched.
Bug: 186106084
Test: atest BluetoothInstrumentationTests
Change-Id: I5d3fdb3c573cb9e77474952d8680caa4c4c464eb
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds attribution source to AdapterService bluetooth method
calls. This is now required to allow the app ops for the new
bluetooth permissions (BLUETOOTH_CONNECT, BLUETOOTH_ADVERTISE,
and BLUETOOTH_SCAN) to be noted.
Bug: 183626112
Test: atest AdapterServiceTest
Test: atest CtsPermissionTestCases:android.permission.cts.NearbyDevicesPermissionTest
Change-Id: I8d1fe41ca9945a3baab584f248a17b3a1eb255f7
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recent work has been using Error Prone rules and annotations to
reflect the current state of permission enforcement across the
Bluetooth stack, and we're now in a position were we can add new
permission enforcement that had been missing.
We've currently standardized on saying that APIs that return device
or Bluetooth state information (without sharing details about any
particular remote Bluetooth device) do not need to be permission
protected.
Bug: 183626724
Test: ./build/soong/soong_ui.bash --make-mode Bluetooth RUN_ERROR_PRONE=true
Change-Id: I53ac7a4fe1dea57316048c3cac4fa237b6ba3d38
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change adds a "BluetoothPermissionChecker" that ensures that
all Bluetooth permission annotations are consistent. In addition, it
verifies that all Bluetooth public APIs have been audited to be
permission protected where relevant.
We've currently standardized on saying that APIs that return device
or Bluetooth state information (without sharing details about any
particular remote Bluetooth device) do not need to be permission
protected.
This change is only annotations and has no behavior changes.
Bug: 183626724
Test: ./build/soong/soong_ui.bash --make-mode Bluetooth RUN_ERROR_PRONE=true
Change-Id: Ie80b15b058359bf1e9a6ee881b89cb3e5b584ca1
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Technically these APIs required both ADVERTISE and CONNECT, since
internally it would attempt getting the device name as part of
calculating packet lengths. These methods shouldn't require the
CONNECT permission, so we add a getNameLengthForAdvertise() method
internally to remove this dependency.
Bug: 183626724
Test: ./build/soong/soong_ui.bash --make-mode Bluetooth RUN_ERROR_PRONE=true
Change-Id: I245417bfc26d6d3a4f8be14077c7f1d271b5959e
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Recent work has introduced a new "Nearby devices" runtime permission
which protects all existing Bluetooth APIs; we've done this by
defining a <split-permission> to convert the old BLUETOOTH and
BLUETOOTH_ADMIN permissions into one of three new permissions:
* BLUETOOTH_ADVERTISE: Required to be able to advertise to nearby
Bluetooth devices.
* BLUETOOTH_CONNECT: Allows applications to connect to paired
bluetooth devices.
* BLUETOOTH_SCAN: Required to be able to discover and pair
nearby Bluetooth devices.
At its core, this change begins updating the Bluetooth APIs to have
correct @RequiresPermission indicating which permission is actually
enforced internally. To ensure alignment across Binder, the newly
added "RequiresPermissionChecker" Error Prone checker was used to
discover any inconsistencies, ensuring correctness from server-side
enforcement up through to the public APIs.
In addition, since developers will continue building apps for both
modern and legacy platforms, this change introduces new auto-doc
annotations which will emit helpful consistent documentation
describing the behavior of older devices that are still using the
old permission model.
Bug: 183626724
Test: ./build/soong/soong_ui.bash --make-mode Bluetooth RUN_ERROR_PRONE=true
Change-Id: I02aa127e8e07f239561f4f2a3bbdfc6fccb82f7f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
unhide @SystemApi callback methods
CTS-Coverage-Bug: 184395281
Bug: 178007935
Tag: #feature
Test: compiles
Change-Id: I2d4167a6c92ee0cc24da12df206838161c8f3318
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
CTS-Coverage-Bug: 184395281
Bug: 178007935
Tag: #feature
Test: manual
Change-Id: I5bc11ac13d9cbb8f76f422aa4aea8295ebec95b4
|
| |/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This passes the AttributionSource to AdapterService and GattService
methods that perform scanning or discovery.
Bug: 183203469
Test: atest GattServiceTest
Test: atest AdapterServiceTest
Test: atest CtsPermissionTestCases:android.permission.cts.NearbyDevicesPermissionTest
Change-Id: Id68558624fbae69eac3a8613b9536eb6e0df75bf
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When an app is proxying access to runtime permission protected
data it needs to check whether the calling app has a permission
to the data it is about to proxy which leaves a trace in app ops
that the requesting app perofmed a data access. However, then the
app doing the work needs to get the protected data itself from the
OS which access gets attributed only to itself. As a result there
are two data accesses in app ops where only the first one is a
proxy one that app A got access to Foo through app B - that is the
one we want to show in the permission tracking UIs - and one
for the data access - that is the one we would want to blame on
the calling app, and in fact, these two accesses should be one -
that app A accessed Foo though B. This limitation requires fragile
one off workarounds where both accesses use the same attribution
tag and sys UI has hardcoded rules to dedupe. Since this is not
documented we cannot expect that the ecosystem would reliably
do this workaround in apps that that the workaround in the OS
would be respected by every OEM.
This change adds a mechaism to resolve this issue. It allows for
an app to create an attribution context for another app and then
any private data access thorugh this context would result in a
single app op blame that A accessed Foo though B, i.e. we no longer
have double accounting. Also this can be nested through apps, e.g.
app A asks app B which asks app C for contacts. In this case app
B creates an attribution context for app A and calls into app C
which creates an attribution context for app B. When app C gets
contacts the entire attribution chain would get a porper, single
blame: that C accessed the data, that B got the data from C, and
that A got the data form B. Furthermore, this mechanism ensures
that apps cannot forget to check permissions for the caller
before proxying private data. In our example B and C don't need
to check the permisisons for A and B, respectively, since the
permisisons for the entire attribution chain are checked before
data delivery. Attribution chains are not forgeable preventing
a bad actor to create an arbitrary one - each attribution is
created by the app it refers to and points to a chain of
attributions created by their corresponding apps.
This change also fixes a bug where all content provider accesses
were double counted in app ops due to double noting. While at
this it also fixes that apps can now access their own last ops.
There was a bug where one could not pass null getting the attributed
ops from a historical package ops while this is a valid use case
since if there is no attribution everything is mapped to the null
tag. There were some app op APIs not being piped thorough the app
ops delegate and by extension through the app ops policy. Also
now that we have nice way to express the permission chain in a
call we no longer need the special casing in activity manager to
handle content provider accesses through the OS. Fixed a bug
where we don't properly handle the android.os.shell calls with
an invlaid tag which was failing while the shell can do any tag.
Finally, to ensure the mechanims is validated and works end-to-end
we are adding support for a voice recognizer to blame the client
app for the mic access. The recognition service can create a blaming
context when opening the mic and if the mic is open, which would
do all permission checks, we would not do so again. Since changes
to PermissionChercker for handling attribution sources were made
the CL also hooks up renounced permissoins in the request permission
flow and in the permission checks.
bug:158792096
bug:180647319
Test:atest CtsPermissionsTestCases
atest CtsPermissions2TestCases
atest CtsPermissions3TestCases
atest CtsPermissions4TestCases
atest CtsPermissions5TestCases
atest CtsAppOpsTestCases
atest CtsAppOps2TestCases
Change-Id: Ib04585515d3dc3956966005ae9d94955b2f3ee08
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
am: 1cac38b565 am: e826ebf682
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1641559
Change-Id: Id8342097bc9fa720151a621342eab4d4813e0644
|
| | |
| |
| |
| |
| |
| |
| | |
Bug: 178234318
Test: compiles and runs
Tag: #feature
Change-Id: Ib67e681af01260df98602003b2aca47963494c6f
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
44602ceb20 am: 966763ceae
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1595220
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ia1006ed22244cf926dc91fa7001d8594b4ebb976
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
HCI disconnect commands and events have an accompanying "reason"
parameter comprising of a HCI error code. This can be useful in both
debugging and re-connection logic at the Java level.
This CL grabs the HCI codes from native and passes it up to Java via an
extra parameter to existing ACL connection callbacks.
Tag: #feature
Bug: 177668957
Test: atest BluetoothInstrumentationTests
Change-Id: Ic729140b8ffb1273a9ca53cdfd39c9f5d71e1522
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Tag: #refactor
Fixes: 180727461
Test: atest BluetoothInstrumentationTests
Change-Id: I4bd084cb6c0371b649adb1d1a65b3327ae3e488a
Merged-In: Id24a4b3a3510781d9105763b1722f44583a7fd7c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
combos because they have already been shown the CDM prompt which implicitly provides consent to bond.
Tag: #feature
Bug: 172006481
Test: Manual
Change-Id: I541b720c6b8b6e55be10e04f202e0a58cf33715f
|
| | |
| |
| |
| |
| |
| |
| | |
Test: manual
Bug: 168052577
Change-Id: Ib2187fb76e604878b1d4dd9c0cd6cea610b2a04d
(cherry picked from commit 017c2c41456e3938145cf33facea339f9918b20c)
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
50c722af7f
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1541669
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Iab20c244c8ff5b04f3236cfccb453a4fbe5a8705
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Per request from a partner, these APIs will not be restricted as they
are in use. This is conceptually a partial revert of change 049f0f5f419.
NoNonSdkCheck: b/170729553
Bug: 171933273
Test: Treehugger
Change-Id: Ibb525e9a9e2fc90248b74f45f3cdcb0be7487c3a
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
for BluetoothConnectionCallback. This ensures that if the bluetooth process dies, the callbacks will be re-established once it comes back up." am: 931df24293 am: 2f51154520 am: baa3bef832
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1533089
MUST ONLY BE SUBMITTED BY AUTOMERGER
Change-Id: Ie2489c4307aa21cf42cfae55ed7024ef9109bf1a
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
BluetoothConnectionCallback. This ensures that if the bluetooth process
dies, the callbacks will be re-established once it comes back up.
Tag: #feature
Bug: 175700972
Test: Manual
Change-Id: I2a20b229fcc1d8f69ccc1b24b62c26ce8155c29f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These are APIs that have @UnsupportedAppUsage but for which we don't
have any evidence of them currently being used, so should be safe to
remove from the unsupported list.
Bug: 170729553
Test: Treehugger
Merged-In: I626caf7c1fe46c5ab1f39c2895b42a34319f771a
Change-Id: I54e5ecd11e76ca1de3c5893e3a98b0108e735413
|
| | |
| |
| |
| |
| |
| | |
Test: manual - ensure role privileges are granted/revoked when device is connected/disconnected
Bug: 165951651
Change-Id: Id24a4b3a3510781d9105763b1722f44583a7fd7c
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
events when a device is connected or disconnected." am: abe9395799 am: 4d0e0a264b am: 07035cb231" into rvc-qpr-dev-plus-aosp am: 9ee26c4355
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1478819
Change-Id: Ic5579ebc90f8a23b799c96704756938ca667a23e
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
device is connected or disconnected.
Tag: #feature
Bug: 171902843
Test: Manual
Change-Id: I194a35a69fe0c5d960ea88a1a0fa52c8df7738e2
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These are APIs that have @UnsupportedAppUsage but for which we don't
have any evidence of them currently being used, so should be safe to
remove from the unsupported list.
This is a resubmit of ag/12929664 with some APIs excluded that caused
test failures; see bugs 171886397, 171888296, 171864568.
APIs excluded:
Landroid/bluetooth/le/ScanRecord;->parseFromBytes([B)Landroid/bluetooth/le/ScanRecord;
Landroid/os/Process;->myPpid()I
Landroid/os/SharedMemory;->getFd()I
Landroid/hardware/input/InputManager;->INJECT_INPUT_EVENT_MODE_WAIT_FOR_FINISH:I
Bug: 170729553
Test: Treehugger
Change-Id: I8285daa8530260251ecad6f3f38f98e263629ca7
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit bc9a809f18a3b0ec23cbc39802fb4928c2074ea3.
Reason for revert: Droidcop-triggered revert due to breakage https://android-build.googleplex.com/builds/quarterdeck?testMethod=testAppZygotePreload&testClass=android.app.cts.ServiceTest&atpConfigName=suite%2Ftest-mapping-presubmit-retry_cloud-tf&testModule=CtsAppTestCases&fkbb=6936597&lkbb=6936969&lkgb=6936551&testResults=true&branch=git_master&target=cf_x86_phone-userdebug>, bug b/171886397
Bug: 171886397
Change-Id: Ibe0f0430a3451477c1ee8ef56a596e91ea1e7672
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
These are APIs that have @UnsupportedAppUsage but for which we don't
have any evidence of them currently being used, so should be safe to
remove from the unsupported list.
Bug: 170729553
Test: Treehugger
Change-Id: I4c8fd0006f950de9955242e93968fb0996ceb372
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
am: 1a3114c6a0 am: 8adc36ba20
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1449262
Change-Id: I78d8b4f3572d172cda209bfe98edd8f3e5f560b0
|
| | |
| |
| |
| |
| |
| | |
Bug: 169654068
Test: compilation
Change-Id: Ibb0046180760e27d6991ae17849a7405738b6f01
|
| |\|
| |
| |
| |
| |
| |
| |
| | |
7d4e7a0e02 am: f92319747e am: a31ee4c4a0
Original change: https://android-review.googlesource.com/c/platform/frameworks/base/+/1426195
Change-Id: Id01f468b43fd5b2aada78608010625b392c1b647
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
See https://source.android.com/setup/contribute/respectful-code for reference
Test: none
Bug: 168334533
Exempt-From-Owner-Approval: docs updates
Change-Id: I245b8d9cac722da76ea67983738a3cbb9deb68df
|
| | |\
| | |
| | |
| | |
| | |
| | | |
Bug: 166295507
Merged-In: I3d92a6de21a938f6b352ec26dc23420c0fe02b27
Change-Id: Ifdb80563ef042738778ebb8a7581a97c4e3d96e2
|
