6df866a8510af2776c48425a361f708ae7f5d7d6 |
|
31-Mar-2017 |
Jeff Sharkey <jsharkey@android.com> |
Enforce PACKAGE_USAGE_STATS for usage data. Some system services are offering package usage data through both public/system APIs and through dump() calls. In principle, usage data hould always be protected with PACKAGE_USAGE_STATS, so start enforcing that. (Otherwise if a user blocked PACKAGE_USAGE_STATS access to an app, that app could still obtain the data via dump() if they held the DUMP permission.) Bottom line, let's respect the user's wishes. Protecting the entire output like this is pretty blunt, but future CLs can add more nuance to the output if desired. Test: cts-tradefed run commandAndExit cts-dev -m CtsSecurityTestCases -t android.security.cts.ServicePermissionsTest Bug: 32806790 Change-Id: I46173562713bea7d89e12a4313c78eb52ea8d77d
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
fe9a53bc45fd0124a876dc0a49680aaf86641d3e |
|
31-Mar-2017 |
Jeff Sharkey <jsharkey@android.com> |
Consistent dump() permission checking. This change introduces new methods on DumpUtils that can check if the caller has DUMP and/or PACKAGE_USAGE_STATS access. It then moves all existing dump() methods to use these checks so that we emit consistent error messages. Test: cts-tradefed run commandAndExit cts-dev -m CtsSecurityTestCases -t android.security.cts.ServicePermissionsTest Bug: 32806790 Change-Id: Iaff6b9506818ee082b1e169c89ebe1001b3bfeca
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
fb64de06cd1f6cd0346e481f13d6cb886dff1bfb |
|
01-Mar-2017 |
TreeHugger Robot <treehugger-gerrit@google.com> |
Merge "Use context's userId in ContentResolver class."
|
b4e2ddde4f08ba25f57c97a4fe7c339cbe805559 |
|
04-Feb-2017 |
Sudheer Shanka <sudheersai@google.com> |
Use context's userId in ContentResolver class. - When registering and notifying observers, we should use the user in the context as opposed to current user. - Relax the permission check while registering and notifying content observers to use INTERACT_ACROSS_USERS instead of INTERACT_ACROSS_USERS_FULL permission. Change-Id: I973936903d4a2272c5722f3b98a057a40c0402be Fixes: 32955100 Test: Created managed profile and verified that there are not failures. runtest -x core/tests/coretests/src/android/content/SecondaryUserContentResolverTest.java runtest -x core/tests/coretests/src/android/content/ManagedUserContentResolverTest.java
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
912e80d3450943ac2bbca03f33c31c042799a0a1 |
|
24-Feb-2017 |
Jeff Sharkey <jsharkey@android.com> |
Require valid authorities for Uri notifications. Content changed notifications are really only valid for content:// Uris, which are really only valid when we have a valid ContentProvider backing them. This has been implicit for a long time, but we actually need to start enforcing it based on target API. We also now tell developers about why their notification requests are being denied, instead of silently logging. Test: builds, boots, common operations work Bug: 34049049 Change-Id: Ie8ab8d8674cff13e3e9269ffddc4ad998cb848c4
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
923e0b8811ae07659408624aeeede18bc8b1197c |
|
17-Nov-2016 |
Jeff Sharkey <jsharkey@android.com> |
Check provider access for content changes. For an app to either send or receive content change notifications, require that they have some level of access to the underlying provider. Without these checks, a malicious app could sniff sensitive user data from the notifications of otherwise private providers. Test: builds, boots, PoC app now fails Bug: 32555637 Change-Id: If2dcd45cb0a9f1fb3b93e39fc7b8ae9c34c2fdef
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
dc589ac82b5fe2063f4cfd94c8ae26d43d5420a0 |
|
11-Nov-2016 |
Sudheer Shanka <sudheersai@google.com> |
Update usage of ActivityManagerNative. - Remove references to ActivityManagerProxy. - Add isSystemReady to ActivityManager. Bug: 30977067 Test: cts/hostsidetests/services/activityandwindowmanager/util/run-test android.server.cts adb shell am instrument -e class com.android.server.am.ActivityManagerTest,com.android.server.am.TaskStackChangedListenerTest \ -w com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner Change-Id: I07390b6124fb1515821f5c0b37baf6ae74adc8fa
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
96b9c75cec453cd0228c5993bd691b7d5783bc7d |
|
18-Oct-2016 |
Svet Ganov <svetoslavganov@google.com> |
Validate input for ContentService#setIsSyncable The syncable parameter value cannot be set to SYNCABLE_NO_ACCOUNT_ACCESS which is a synthetic state that is computed but never persisted. It just means that the sync adapter cannot access the account regardless of its current syncable state and we want to keep its current syncable state to start from there once account access is granted. bug:31794527 Change-Id: I606c4b517977d0b0d3e7ffe753dfd235a875fcd7
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
91d37f43c73d76a54679bb84a71a6339bccb1e24 |
|
04-Sep-2016 |
Svet Ganov <svetoslavganov@google.com> |
[DO NOT MERGE] While-list apps to access account if already saw it Sync adapters without an account access cannot run until the user approves the account access (for the case the account access is not allowed by other policy such as being singed with the same cert as the authenticator). However, if the sync adapter package already got the account from another app which means it already saw the account we white-list the sync adapter app to access the account as it already saw it - the bird is out of the cage. bug:31162498 Change-Id: I2b72f3b0d6307561ed68db2f2e9c900b15e8d098
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
5cb2973495084f8ce3433b579e4b4962ed9d7efc |
|
12-Jul-2016 |
Svetoslav Ganov <svetoslavganov@google.com> |
Only sync adapters with access can see an account - framework It was possible for a sync adapter without accounts access to see the account which it is supposed to sync which can be used to identify the user. This change ensures that only sync adapters with account access can run (which results in seeing the account), otherwise we involve the user to approve access only to this account. A sync adapter can access an account if one of these is true: - it is signed as the authenticator for this account - has the GET_ACCOUNTS permission - has an auth token for the account - it is a preinstalled app (system or privileged) The main thing we need to figure out is if the extra prompts for giving access to a sync adapter to the account create too much friction. bug:28163381 Change-Id: Ie083bb681b5a2aed81ca5f6a062193a175fad77e
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
7ef9f61be627a764902ee59bdc2af6aea83916df |
|
17-Jun-2016 |
Svetoslav Ganov <svetoslavganov@google.com> |
Merge "Don't dispatch Uris with appended user handle" into nyc-dev
|
3138a9938b19d596b1581a538eb019f134903d06 |
|
16-Jun-2016 |
Svet Ganov <svetoslavganov@google.com> |
Don't dispatch Uris with appended user handle This change fixes a bug where we started appending the user id to the changing Uri for observers to know what user's Uri changed. This is problematic as it changes the Uri structure expected by observers. Also there are no public APIs to factor out the user id from the Uri. If a system component needs to know for which user a Uri changed it can use ContentObserver#onChange(boolean, Uri, int) where the last argument is the user id. bug:19312280 Change-Id: I5f0982ac3c8d6b6eab060bab65d3b53182660ac7
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
3b840e378a97a71c6592fb924b39d73d89931a38 |
|
14-Jun-2016 |
Shreyas Basarge <snb@google.com> |
Update SyncManager min period to match JobScheduler Use JobScheduler's minimum period in SyncManager. Syncs will respect JobScheduler's min period anyway, this change ensures that dumpsys of both services show the same period. Bug: 29253834 Change-Id: I0cd7f85da56af967963573a048c3a71436ed9c5b
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
051f3b7aecdde128ec3b812164a39dff81633b84 |
|
18-May-2016 |
Nicolas Prevot <nprevot@google.com> |
Use correct user id when checking uri grants for notification. An application is allowed to notify a change to a uri if it has a grant to this uri. Use the correct user id to check this grant. BUG:19312280 Change-Id: I8bad2e65325fdfef4907d7b71b4f264dff567217
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
e761777323444e900ab683137a1e4d6abecdc728 |
|
28-Apr-2016 |
Dianne Hackborn <hackbod@google.com> |
Fix issue #28431297: Crash in system process Don't allow null URIs to get put into the notification path. Change-Id: I4f68f438960c8a90c7b417feaa2e19968a3a200a
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
1cab76af8537a275d1af38d25f5692a68e48eed6 |
|
13-Apr-2016 |
Jeff Sharkey <jsharkey@android.com> |
Make wallpapers direct-boot aware. If the user's wallpaper isn't direct-boot aware, wait around for the user to be unlocked, instead of clearing the wallpaper. Also switch a few classes to using SystemService lifecycle, since events are dispatched faster than through broadcasts. Fix bug where ContentService.systemReady() was never called, and make sure EntropyMixer doesn't risk being GC'ed. Bug: 26280055 Change-Id: I9fff468a439b868baa68cf11bb6ee9f7d52b7b5a
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
141f11c82a2dbf042833f75aeae6f028e8ae2084 |
|
06-Apr-2016 |
Dianne Hackborn <hackbod@google.com> |
More work on issue #26390151: Add new JobScheduler API... ...for monitoring content providers - Improve media provider change reporting so that observers can avoid spurious reports of the top-level content directory changing. - Fix a bug where collected content changes while a job was running were not being properly propagated to the next job. Change-Id: I29e3c2960e6fec75b16ee3ee6588d47342bf8c75
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
a3ebfec731c2f1fcc67ecf58d4634e957b044cba |
|
04-Apr-2016 |
Jeff Sharkey <jsharkey@android.com> |
Invalidate caches when locale changes. When loading roots for the first time, we're okay using any cached data from the system, but if the locale changes we need to force-refresh everything. Now that we're always using the system cache, we have a nice strong signal for "empty" versus "not cached" results, so we don't need to wait around for the first loading pass to finish. Add logic to invalidate system cache when locale changes, and fix locking bug. Bug: 27977906 Change-Id: Ic50083eff360bea887799583f6c9f02c129eec91
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
7732e1e544e89d4a79368c0025901da62f7226a5 |
|
31-Mar-2016 |
Jeff Sharkey <jsharkey@android.com> |
Fix RootsCache invalidation bugs. When RootsCache is still running and it detects a provider/package change, it needs to force reload roots. Also fix cache invalidation bug in ContentService to allow for Uri prefix matches. Mark internal storage broadcasts with flag to bypass new background checks. Bug: 27759529 Change-Id: I9d9c6fe15d8640ff56ae7214afb3bac673682c28
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
a04c7a7c6442b8c6f87f5dd11fc5659cdb92decc |
|
18-Mar-2016 |
Jeff Sharkey <jsharkey@android.com> |
Mark more Bundles as being defusable. They're destined for the system, so they're okay to look inside. Bug: 27726127 Change-Id: Ic85c308a8efe6f9b8652952717c72b3c663d328a
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
8731408b11a24e3a92188653548f2c90bf866a32 |
|
12-Mar-2016 |
Jeff Sharkey <jsharkey@android.com> |
Offer to cache ContentResolver-related Bundles. There are a handful of core system services that collect data from third-party ContentProviders by spinning them up and then caching the results locally in memory. However, if those apps are killed due to low-memory pressure, they lose that cached data and have to collect it again from scratch. It's impossible for those apps to maintain a correct cache when not running, since they'll miss out on Uri change notifications. To work around this, this change introducing a narrowly-scoped caching mechanism that maps from Uris to Bundles. The cache is isolated per-user and per-calling-package, and internally it's optimized to keep the Uri notification flow as fast as possible. Each Bundle is invalidated whenever a notification event for a Uri key is sent, or when the package hosting the provider is changed. This change also wires up DocumentsUI to use this new mechanism, which improves cold-start performance from 3300ms to 1800ms. The more DocumentsProviders a system has, the more pronounced this benefit is. Use BOOT_COMPLETED to build the cache at boot. Add more permission docs, send a missing extra in DATA_CLEARED broadcast. Bug: 18406595 Change-Id: If3eae14bb3c69a8b83a65f530e081efc3b34d4bc
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
40a11e525c3888613361a555d71ff13e5ef834e4 |
|
01-Feb-2016 |
Shreyas Basarge <snb@google.com> |
Merge "Updated Javadoc to reflect min period"
|
e96c3b7eff5290f2a6c5e572babbfa8a3897be96 |
|
29-Jan-2016 |
Shreyas Basarge <snb@google.com> |
Updated Javadoc to reflect min period Javadoc updated and logging added for min period and min flex enforcements in JobScheduler and SyncManager. Bug: 26874152 Change-Id: Ifdd248b776a1bd04df21b7b9f0ac96bdef0f8bb6
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
8c834c07675052c984728cbf79f7c2e0d8246e43 |
|
07-Jan-2016 |
Shreyas Basarge <snb@google.com> |
SyncManager on JobScheduler SyncManager now uses JobScheduler for scheduling and persistence purposes. Change-Id: I38c92aedbf4d891ca297644d0b706835aaedfcd6
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
506e47fcc40ed8576e59abc464ffc5575cacc374 |
|
20-Jan-2016 |
Matthew Williams <mjwilliams@google.com> |
Redact Account info from getCurrentSyncs am: f39549e389 am: 1a0aed3257 am: 0e7cd0a9fb am: be136b7a3e am: a947baa87c am: 0f292147f3 am: ce3842eb1a am: 85f169d19f am: c77a2228aa am: 4cc10825f0 am: 88d641ce26 * commit '88d641ce265fe1c6b188b5fa2a2397f3fa8e15ba': Redact Account info from getCurrentSyncs
|
0f292147f3ac803a8701afd7362ad3e0487fd496 |
|
20-Jan-2016 |
Matthew Williams <mjwilliams@google.com> |
Redact Account info from getCurrentSyncs am: f39549e389 am: 1a0aed3257 am: 0e7cd0a9fb am: be136b7a3e am: a947baa87c * commit 'a947baa87caeb6733846d6de4ef2bf84f7ab0fa1': Redact Account info from getCurrentSyncs
|
309a75556af595ccbc0f0e06828b141cc040afbc |
|
20-Jan-2016 |
Matthew Williams <mjwilliams@google.com> |
Revert "Redact Account info from getCurrentSyncs" This reverts commit b63057e698a01dafcefc7ba09b397b0336bba43d. Reverting this b/c http://droidmerger-01.mtv.corp.google.com:8888/googleplex/branch/lmp-dev claims there's an automerge path from lmp-dev all the way to master. Change-Id: Ia99a20410153442436ea836b5223a524b640dcbf
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
f39549e389edf62f43bacd95a1b8580d75ad77ed |
|
20-Jan-2016 |
Matthew Williams <mjwilliams@google.com> |
Redact Account info from getCurrentSyncs BUG:26094635 If the caller to ContentResolver#getCurrentSyncs does not hold the GET_ACCOUNTS permission, return a SyncInfo object that does not contain any Account information. Change-Id: I5628ebe1f56c8e3f784aaf1b3281e6b829d19314 (cherry picked from commit b63057e698a01dafcefc7ba09b397b0336bba43d)
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
b63057e698a01dafcefc7ba09b397b0336bba43d |
|
20-Jan-2016 |
Matthew Williams <mjwilliams@google.com> |
Redact Account info from getCurrentSyncs BUG:26094635 If the caller to ContentResolver#getCurrentSyncs does not hold the GET_ACCOUNTS permission, return a SyncInfo object that does not contain any Account information. Change-Id: I5628ebe1f56c8e3f784aaf1b3281e6b829d19314
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
bef28feba57be7fd6a4d14a85a8229154338b2ed |
|
30-Oct-2015 |
Dianne Hackborn <hackbod@google.com> |
Initial stab at background check. Actually, this implementation is more what we want for ephemeral apps. I am realizing the two are not really the same thing. :( For this implementation, we now keep track of how long a uid has been in the background, and after a certain amount of time (currently 1 minute) we mark it as "idle". Any packages associated with that uid are then no longer allowed to run in the background. This means, until the app next goes in the foreground: - No manifest broadcast receivers in the app will execute. - No services can be started (binding services is still okay, as this is outside dependencies on the app that should still be represented). - All alarms for the app are cancelled and no more can be set. - All jobs for the app are cancelled and no more can be scheduled. - All syncs for the app are cancelled and no more can be requested. Change-Id: If53714ca4beed35faf2e89f916ce9eaaabd9290d
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
52153f4c0540a991b5b7214f4f14b5a891479a3c |
|
11-Aug-2015 |
Svet Ganov <svetoslavganov@google.com> |
Add GTS test to ensure valid default permission grants - framework The platform grants runtime permissions by default to apps on the system image that provide core device use cases which a user expects to work out-of-the-box. We are now adding a test to ensure that OEMs cannot pregrant premissions on non approved components. bug:23043018 Change-Id: Id76717cce0ee59678956bd0be347d3c045fe4c51
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
0010b70beae6fafd3faf06e1b02291f59f9f85db |
|
01-Jul-2015 |
Svetoslav <svetoslavganov@google.com> |
Grant permissions to headless system calendar/contacts sync adapters. bug:21861781 Change-Id: I5f9905a23ba1b23e387adf2cea842172d34207b0
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
adea1918bef942b6214cf549b1316affd2b10280 |
|
19-Jun-2015 |
Benjamin Franz <bfranz@google.com> |
Make ContentObservers work across profiles Currently registering for changes to a cross-user Uri does not work, as the calling user id is used to identify the Uri. Change this to use the userId the Uri is associated with. In order to protect Uris across users, we only allow registration for a Uri when the caller has read permission. We also only allow notify calls from across users when the caller has write permission to the Uri. Bug: 19312280 Change-Id: Ide216b09980ed5ebefe9b37c946dd8160167809f
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
37a40c24deb02bca3868a8085069afae112f22e4 |
|
17-Jun-2015 |
Amith Yamasani <yamasani@google.com> |
App Standby : Association between content providers and their sync adapter Set sync adapters to active if the associated content providers are used at foreground process state. Minimize how frequently published content providers are reported by keeping track of last reported time. Also cache sync adapters associated with an authority in SyncManager. Bug: 21785111 Change-Id: Ic2c8cb6a27f005d1a1d0aad21d36b1510160753a
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
08c7116ab9cd04ad6dd3c04aa1017237e7f409ac |
|
28-Feb-2015 |
John Spurlock <jspurlock@google.com> |
Remove unused imports in frameworks/base. Change-Id: I031443de83f93eb57a98863001826671b18f3b17
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
86b1df234397802895771fe14cd8f2813fa43415 |
|
21-Aug-2014 |
Svetoslav <svetoslavganov@google.com> |
Print services setting changes not handled for managed profiles. We keep per user settings for enabled print services which are observed to update the print manager service state. We were listening to all user changes but the handling code was not updating the state of the user whose settings changed, rather the current user. Added hidden APIs in content observer to know which user changed and now the print manager serivce handles content changes for the correct user. bug:16977006 Change-Id: I71ec88c8f3f38cb405844c13ab83695c2029eb79
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
0e9ac20d7e0c9aca8cd342d97465adfac4c7e6e1 |
|
16-Jul-2014 |
Alexandra Gherghina <alexgherghina@google.com> |
Do Not Merge Per-user API for master sync Change-Id: I6a8088eb3bfddae4c8e38904dd26baf3c7c09c9e (cherry picked from commit 222aea8bd997807784dc99ca53f63280d384fdf0)
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
cb22807ffcf79db1b62162842d0a90251a463ea7 |
|
01-Jul-2014 |
Alexandra Gherghina <alexgherghina@google.com> |
Adds per-user APIs required by the Settings app Bug: 15466880 Change-Id: Ic99fbf074564901b04d32b08f3a7a38555f330b3
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
0363c3eb089afd4474bfd6ae6ee8a500d6e97614 |
|
23-Jun-2014 |
Alexandra Gherghina <alexgherghina@google.com> |
Expose per-user APIs for content services. Bug: 15466880 Change-Id: Ib5a030e78559307627fe0d2e80ce6f1a7825109d
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
5a9decd589f3f6a512168fd669ee2c5d8daa238b |
|
04-Jun-2014 |
Matthew Williams <mjwilliams@google.com> |
Redact SyncService stuff from master This changes the API surface area, deleting things we aren't releasing. I'll do the internal clean-up at the same time I do the SyncManager refactor to sit on top of the TaskManager. Bug: 14997851 Change-Id: Ibefbb246f0e98d3159399151744279902468a23c
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
4b9d79c30eccb61645d98a4f0d49b7769e8c7ccc |
|
22-May-2014 |
Amith Yamasani <yamasani@google.com> |
Fix singleUser attribute Make it work correctly for singleton content providers. Relax which apps can export singleton content providers. Change-Id: I43d315c25ed76a876bfa6d5e0d1351bc19c9bdba
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|
49782e46c0eb85a25ae2abcf80880c48dbab5aea |
|
20-Dec-2013 |
Amith Yamasani <yamasani@google.com> |
am 9158825f: Move some system services to separate directories * commit '9158825f9c41869689d6b1786d7c7aa8bdd524ce': Move some system services to separate directories
|
9158825f9c41869689d6b1786d7c7aa8bdd524ce |
|
22-Nov-2013 |
Amith Yamasani <yamasani@google.com> |
Move some system services to separate directories Refactored the directory structure so that services can be optionally excluded. This is step 1. Will be followed by another change that makes it possible to remove services from the build. Change-Id: Ideacedfd34b5e213217ad3ff4ebb21c4a8e73f85
/frameworks/base/services/core/java/com/android/server/content/ContentService.java
|