| Age | Commit message (Collapse) | Author |
|---|
|
Refactored the directory structure so that services can be optionally
excluded. This is step 1. Will be followed by another change that makes
it possible to remove services from the build.
Change-Id: Ideacedfd34b5e213217ad3ff4ebb21c4a8e73f85
|
|
Current AccountManager code for getAuthToken checks if the account
in the request exists. If the account does not exist then it throws
an exception which leads to a runtime exception being thrown by
AccountManager in the client. In perticular, Checkin client code
hits this issue when accounts are deleted by user. As the exception
is thrown from the getAuthToken method call and is a RuntimeException
it is not caught by the client. Futhermore, Checkin runs in one of the
important processes and this exception makes the process crash.
This cl, does the following:
1) Delegates the account exists check to Authentictor which in turn
would cause an AuthenticatorException which is a checked exception.
2) Replaces some of the runtime exceptions thrown by AccountManagerService
with calling AccountManagerResponse.onError() which causes more graceful
failure on the client.
3) Correctly passes on the error returned by Authenticator to
AccountManager. Earlier if Authenticator returned an error code to
the AccountManager, it ignored the error and returned null token to the
client which was incorrect.
Bug: 10856295
Change-Id: Ie250fec601d46f6dfecd74677b478bfd4e9dcfad
|
|
Bug: 11219355
Change-Id: Iec031739dc0d751ee9841ca2c495a346d689ad2a
|
|
Should fix the occasional deadlock that ends up killing the system process via
Watchdog.
Bug: 11033281
Change-Id: Ie9cec0b6e2bd44bb03848b04aec5f9bd04ee74d6
|
|
The main problem here was a mistake when turning a single process
structure to a multi-package-process structure with a common
process. When we cloned the original process state, if there were
any services already created for the process for that package, they
would be left with their process pointer still referencing the
original now common process instead of the package-specific process,
allowing the active counts to get bad. Now we switch any of those
processes over to the new package-specific process.
There was also another smaller issue with how ServiceRecord is
associated with a ServiceState -- we could be waiting for an
old ServiceRecord to be destroyed while at the same time creating
a new ServiceRecord for that same service class. These would share
the same ServiceState, so when the old record finally finished
destroying itself it would trample over whatever the new service
is doing.
This is fixed by changing the model to instead of using an "active"
reference count, we have an object identifying the current owner
of the ServiceState. Then when the old ServiceRecord is cleaning
up, we know if it is still the owner at that point.
Also some other small things along the way -- new Log.wtfStack()
method that is convenient, new suite of Slog.wtf methods, fixed
some services to use Slog.wtf when catching exceptions being
returned to the caller so that we actually know about them.
Change-Id: I75674ce38050b6423fd3c6f43d1be172b470741f
|
|
Various authenticator results such as getAuthToken and addAccount might
result in an Intent returned to the AccountManager caller. A malicious
authenticator could exploit the fact that the Settings are a system app,
lead the user to launch add account for their account type and thus get
Settings to use the intent to start some arbitrary third parties Activity.
The fix is to make sure that the UID of the app associated with Activity
to be launched by the supplied intent and the Authenticators UID share
the same signature. This means that an authenticator implementer can only
exploit apps they control.
Bug: 7699048
Change-Id: I34330454c341e6a8422ca1ed3b390466a0feedce
|
|
"signatureOrSystem" permissions are no longer available to all apps
residing en the /system partition. Instead, there is a new /system/priv-app
directory, and only apps whose APKs are in that directory are allowed
to use signatureOrSystem permissions without sharing the platform cert.
This will reduce the surface area for possible exploits of system-
bundled applications to try to gain access to permission-guarded
operations.
The ApplicationInfo.FLAG_SYSTEM flag continues to mean what it is
says in the documentation: it indicates that the application apk was
bundled on the /system partition. A new hidden flag FLAG_PRIVILEGED
has been introduced that reflects the actual right to access these
permissions.
At some point the "system" permission category will be
renamed to "privileged".
Bug 8765951
Change-Id: I6f0fd9cdb9170e076dfc66d83ecea76f8dd7335d
|
|
name" into jb-mr2-dev
* commit '77049e1303bba3056c4a1353d3c03421d0ba27f7':
Fix account filtering for specific package name
|
|
Hacks to enable gms to see accounts were interfering with checking for
explicit package name.
Bug: 9095427
Change-Id: Iae65ea2a678d7403d023fa1a61c01347b77c3b5a
|
|
auth tokens" into jb-mr2-dev
* commit 'fb37bb67ec8ec2180e7afb51e748a7f56cabae23':
Don't allow non-authorized apps to access auth tokens
|
|
For restricted profiles, if an app tries to guess an account name and
requests an auth token, even though the framework is going to prompt
for permission, it could be authorized by someone who can't read.
If the app is not opting in to see accounts, don't let it get auth tokens
by verifying first that it's in the list of known accounts.
Bug: 8736380
Change-Id: I6caf88cfe14aa1023d55bcb28ad80ccd89eeb79b
|
|
This introduces four generic thread that services can
use in the system process:
- Background: part of the framework for all processes, for
work that is purely background (no timing constraint).
- UI: for time-critical display of UI.
- Foreground: normal foreground work.
- IO: performing IO operations.
I went through and moved services into these threads in the
places I felt relatively comfortable about understanding what
they are doing. There are still a bunch more we need to look
at -- lots of networking stuff left, 3 or so different native
daemon connectors which I didn't know how much would block,
audio stuff, etc.
Also updated Watchdog to be aware of and check these new
threads, with a new API for other threads to also participate
in this checking.
Change-Id: Ie2f11061cebde5f018d7383b3a910fbbd11d5e11
|
|
* commit 'ba56701493ede3f5f338a03173da0327a215b223':
Improve API and documentation
|
|
API for querying accounts visible to a specific package.
Improve API and docs for device owner.
Bug: 8657158
Change-Id: I01b8701534f64b383391508a49ae93ed21f22ae0
|
|
requested on a limited user" into jb-mr2-dev
* commit '399a2977a5067e4ea562ad4d74aaa0f1bffe4c53':
Show an error dialog when account type is requested on a limited user
|
|
This covers the scenario where an app doesn't find an account of the
required type and requests the account manager to add one of that
type.
Bug: 8537648
Change-Id: I4d9c8842c2d90aa668f16034d3db007dc61714b8
|
|
jb-mr2-dev
* commit '4b808adc44b8d5f1538eff40e5b685c14154b948':
Fixed a NPE in AccountManagerService
|
|
Bug: 8518620
Change-Id: Idf9b5864896ec57c63e3987fc01c73a5c983b5e2
|
|
limited users" into jb-mr2-dev
* commit '30cfaf7c863cf33dbfa6c7f9681997735fe62d40':
Add new primary accounts to secondary limited users
|
|
When a new account is added to the primary, those will be marked
as shared accounts for secondary limited users. If the secondary user
is currently running, clone the account right away.
Bug: 8510431
Change-Id: Ie8ad87a7205e7b1a5a1752e75fbbfc416b2a58a7
|
|
Change-Id: I9664186a62cf7b11844c6a14967f5b8c2b67c289
|
|
Make sure that apps that have access to restricted accounts can see them.
If they don't have access, they shouldn't be able to add a new account either.
Show an error message in the account picker if the user/app is not authorized.
Change-Id: I117c0b14d7d06c5ac4e66506df156b174567f5f3
|
|
seeding." into jb-mr2-dev
* commit '98c762bf7cd291e4ae3d9923a8feb3389855ecff':
AccountManager changes for profile seeding.
|
|
|
|
Add a new error code to AccountManager and remove the check for
limited user during add account to allow Authenticators to seed
account during limited profile startup.
Change-Id: I5a73def9fc3baeb8e6de1b42e923829c335e1668
|
|
* commit '1438d67e7ddaba1133f181bc70cd706acf57a520':
Restricted account visibility
|
|
|
|
sideloading, usb file transfer" into jb-mr2-dev
* commit 'b3c060a166e9d5a141a6500e4c443a20d4e002b6':
Add user restrictions for bluetooth, sideloading, usb file transfer
|
|
When accounts are shared to a restricted/limited user, apps can
opt-in to viewing accounts of a certain type. Other shared accounts
are not visible to the app.
App would specify the account type in the manifest <application> tag
with the attribute restrictedAccountType="foo.bar", where "foo.bar"
is the account type as defined by the authenticator.
Change-Id: I7586da04d6d6d32aae15adc6b1366f325bb07384
|
|
Created constants for these in UserManager and current.txt. Also created
an accessor for individual user restrictions that takes the restriction key
(removing individual methods for particular restrictions).
Change-Id: Ibb5517cbcdffadd3925f52cbe67d7d525813faa9
|
|
admin" into jb-mr2-dev
* commit 'f3dc9f0aa91d2785b715f251b144487ec1b57ecc':
Device Owner, a special kind of device admin
|
|
A Device Owner cannot be uninstalled and is available to all users. It must
be registered before the device_provisioned flag is set.
Device admins can be disabled until used, but visible to device policy
manager, so that users wont be bothered with update requests.
Opened up a few related APIs for use by a system-installed Device Owner.
Change-Id: I847b5fe68c0f724863f778a67602b5bddc79d8e5
|
|
Change-Id: I752c387c013c3deaad836df9b0c2294e7149a32a
|
|
Adds the ability for apps to export some restrictions. The restrictions
are presented in Settings based on the restriction type. The user's
selections are stored by UserManagerService and provided to the
target user's application as a list of RestrictionEntry objects which
contain the key, value(s).
Also introduce a manifest entry for system apps to request that the
app be automatically installed in all users, so that they cannot be
deselected by the owner user.
Shared account filtering for non-whitelisted apps.
Change-Id: I15b741e3c0f3448883cb364c130783f1f6ea7ce6
|
|
* commit '3eb3774f8e54a6f43dcf4f27e1b7a62676791ff6':
Shared accounts and sharing of apps
|
|
API and preliminary implementation for sharing primary user accounts with a secondary user.
AbstractAccountAuthenticator has new methods to retrieve and apply a bundle of credentials
to clone an account from the primary to a restricted secondary user. The AccountManagerService
initiates the account clone when it starts up the user and detects that the user has
a shared account registered that hasn't been converted to a real account.
AccountManager also has new hidden APIs to add/remove/get shared accounts. There might be
further improvements to this API to make shared accounts hidden/visible to select apps.
AccountManagerService has a new table to store the shared account information.
Added ability in PackageManager to install and uninstall packages for a secondary user. This
is required when the primary user selects a few apps to share with a restricted user.
Remove shared accounts from secondary users when primary user removes the account.
Change-Id: I9378ed0d8c1cc66baf150a4bec0ede56f6f8b06b
|
|
When keyguard gets moved to its own process, it will need to access
specific user accounts in order to enable features such as the "forgot pattern"
button. This adds an additional check to allow apps with the
INTERACT_ACROSS_USERS_FULL permission to work.
Change-Id: Id3107bc212ae3005870db781c32ae4405c068ad9
|
|
Restrictions saved as key/value pairs, mostly booleans right now
but might be expanded to other types later.
Save and restore restrictions in the user manager service.
Enforce some of the restrictions at the framework level. Some
are enforced (also) at the app level, such as in Settings.
Change-Id: Id11ffe129cb6a177e094edf79635727388c26f40
|
|
This is for the multi-user version of bindService, not the original.
Change-Id: Ib2de35941196accf387b1a276a77e6f9af805ec0
|
|
This helps reduce the pressure on framework.jar, and makes it clear
that it should only be used by the system_server.
Bug: 7333397
Change-Id: I0858904239535380fbf30562b793e277d8c3f054
|
