7afcb3f98e7342985ba5e62bf6d3a5ac1282e545 |
|
09-Apr-2018 |
Jeff Sharkey <jsharkey@android.com> |
Protect usage data with OP_GET_USAGE_STATS. APIs that return package usage data (such as the new StatsManager) must ensure that callers hold both the PACKAGE_USAGE_STATS permission and the OP_GET_USAGE_STATS app-op. Add noteOp() method that can be called from native code. Also add missing security checks on shell commands. Bug: 77662908 Test: builds, boots Change-Id: I15efd6f5dde61e807269b5132a052548ea4e800f
/frameworks/native/libs/binder/IPermissionController.cpp
|
e752a5cc64b78f799525aa4e44e5f74e8c402465 |
|
16-Jan-2018 |
Svet Ganov <svetoslavganov@google.com> |
No sensor access to idle UIDs - native framework Idle UIDs are ones that were in the background for long enough time. Currently such apps can access sensor data even though they have no user perceptible components running. This affects the user's privacy since an app in the background can use sensor data to infer location, activity, habits, etc. The goal is to restrict sensor access for all apps in the ecosystem regardless of target SDK which means the solution should be backwards compatible. At the high level the sesnor service observes UID state changes and applies policy like this: Continuous sensors: for sensros in this reporting mode when the UID goes in the background we will stop dispatching events. Once the UID goes active we will start reporting the events. While this is an app visible behavior change we would rather do that vs delivering fake events. Flush events: there is no change in behavior based on the UID state. Hence, idle apps can request a flush and would get the completion callback. From an app perspective flushing works at any point. Trigger events: for sensors in this reporting mode when the UID goes in the background we will not report any trigger events. From an app perspective the sensor just did not pick up any events. On-change events: for sensors in this reporting mode when the UID goes in the background we will not report any change events. From an app perspective the sensor just did not pick up any events. Wake locks: since UIDs in idle state cannot acquire wakelocks we will not be grabbing a wakelock on behalf of apps in that state. Test: Added - SensorTest#testSanitizedContinuousEventsUidIdle Added - SensorTest#testBatchAndFlushUidIdle Pass - cts-tradefed run cts-dev -m CtsSensorTestCases bug:63938985 Change-Id: I156803610ad6d86afaae641ebbb0e84f16d2344b
/frameworks/native/libs/binder/IPermissionController.cpp
|
e2347b7953f70232541bdc1b392230d6231aaeb9 |
|
26-Apr-2016 |
Chih-Hung Hsieh <chh@google.com> |
Fix google-explicit-constructor warnings. Bug: 28341362 Change-Id: I0ce850de85e0de6a5472dd142f738856142db9ec
/frameworks/native/libs/binder/IPermissionController.cpp
|
b412f6e203b38f8047f760261a5e3dc6d0722f08 |
|
30-Apr-2015 |
Svetoslav <svetoslavganov@google.com> |
Add body sensors app op - framework native Change-Id: I727a2bb1e28ae9158f2df9c74dd0aee977dfd47f
/frameworks/native/libs/binder/IPermissionController.cpp
|
f1377f506c764a8b254b60ee28e38e12ccc8135c |
|
28-Apr-2015 |
Svet Ganov <svetoslavganov@google.com> |
Respect the record audio app op - frameworks native Change-Id: Id747767377953fd644a538aad3f603d6c50875a2
/frameworks/native/libs/binder/IPermissionController.cpp
|
317ff37cf79d31170fa7320f0ba5ded1ec043e4c |
|
29-May-2014 |
Mark Salyzyn <salyzyn@google.com> |
binder: rm utils/Debug.h Change-Id: I16931919a26c16a0d701771c93fa7fe1c6f60ef8
/frameworks/native/libs/binder/IPermissionController.cpp
|
837a0d0fb2c3fba8082d47d04cb6120af1eb9a54 |
|
14-Jul-2010 |
Brad Fitzpatrick <bradfitz@android.com> |
Add Parcel::readExceptionCode() and Parcel::writeNoException() Add native Parcel methods analogous to the Java versions. Currently, these don't do much, but upcoming StrictMode work changes the RPC calling conventions in some cases, so it's important that everybody uses these consistently, rather than having a lot of code trying to parse RPC responses out of Parcels themselves. As a summary, the current convention that Java Binder services use is to prepend the reply Parcel with an int32 signaling the exception status: 0: no exception -1: Security exception -2: Bad Parcelable -3: ... -4: ... -5: ... ... followed by Parceled String if the exception code is non-zero. With an upcoming change, it'll be the case that a response Parcel can, non-exceptionally return rich data in the header, and also return data to the caller. The important thing to note in this new case is that the first int32 in the reply parcel *will not be zero*, so anybody manually checking for it with reply.readInt32() will get false negative failures. Short summary: If you're calling into a Java service and manually checking the exception status with reply.readInt32(), change it to reply.readExceptionCode(). Change-Id: I23f9a0e53a8cfbbd9759242cfde16723641afe04
/frameworks/native/libs/binder/IPermissionController.cpp
|
83c0446f27b9542d6c2e724817b2b2d8d1f55085 |
|
23-May-2009 |
Mathias Agopian <mathias@google.com> |
some work to try to reduce the code size of some native libraries - make sure that all binder Bn classes define a ctor and dtor in their respective library. This avoids duplication of the ctor/dtor in libraries where these objects are instantiated. This is also cleaner, should we want these ctor/dtor to do something one day. - same change as above for some Bp classes and various other non-binder classes - moved the definition of CHECK_INTERFACE() in IInterface.h instead of having it everywhere. - improved the CHECK_INTERFACE() macro so it calls a single method in Parcel, instead of inlining its code everywhere - IBinder::getInterfaceDescriptor() now returns a "const String16&" instead of String16, which saves calls to String16 and ~String16 - implemented a cache for BpBinder::getInterfaceDescriptor(), since this does an IPC. HOWEVER, this method never seems to be called. The cache makes BpBinder bigger, so we need to figure out if we need this method at all.
/frameworks/native/libs/binder/IPermissionController.cpp
|
c5b2c0bf8007562536b822eb060fc54a01f8e08b |
|
20-May-2009 |
Mathias Agopian <mathias@google.com> |
move libbinder's header files under includes/binder
/frameworks/native/libs/binder/IPermissionController.cpp
|
208059f67ed2dd9fa025e07fcb6954d3cb61c79e |
|
19-May-2009 |
Mathias Agopian <mathias@google.com> |
checkpoint: split libutils into libutils + libbinder
/frameworks/native/libs/binder/IPermissionController.cpp
|