| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After uninstalling an app, if the system was shutdown before the
download provider received the broadcast for UID_REMOVED, another app
installed later in the same uid might be able to gain access to the
files downloaded by this app. Removing any such hanging downloads
at the start up of the download provider should fix this issue.
Test: Manually tested by uninstalling an app and killing and restarting
the process android.process.media, to check that the downloaded files of
the uninstalled app were deleted.
Bug:22011579
Merged in: I7382c4846f99035b40412a01715aee5873efa9e6
AOSP-Change-Id: I7382c4846f99035b40412a01715aee5873efa9e6
(cherry picked from commit 2ab9a2d15c63cd567805adb8fa4b9c524afc5ceb)
(cherry picked from commit 3b15466b3cb6207660a73d1cea44a2d018ada23f)
CVE-2017-0668
Change-Id: I8c5fee862185b958a539c7489443480c5c65ace6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
internal columns.
However, this means that we can no longer return the "my_downloads"
paths: if those Uris were shared beyond the app that requested the
download, access would be denied. Instead, we need to switch to
using "all_downloads" Uris so that permission grants can be issued
to third-party viewer apps.
Since an app requesting a download doesn't normally have permission
to "all_downloads" paths, we issue narrow grants toward the owner of
each download, both at device boot and when new downloads are
started.
Bug: 30537115, 30945409
Change-Id: If944aada020878a91c363963728d0da9f6fae3ea
(cherry picked from commit 7c1af8c62c8bdf6e8de5a00c1927daf9fd9c03d1)
|
|
|
|
|
|
|
| |
This reverts commit 8be3a92eb0b4105a9ed748be5a937ce79145f565.
Change-Id: I10401d57239b868f8e3514f81a0e20486838e29c
(cherry picked from commit b440ceb00fd46c9233723066c680a538067fbf82)
|
|
|
|
|
|
|
|
|
|
| |
When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
internal columns.
Bug: 30537115
Change-Id: I01bbad7997e5e908bfb19f5d576860a24f59f295
(cherry picked from commit 8be3a92eb0b4105a9ed748be5a937ce79145f565)
|
|
|
|
|
|
|
|
| |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: Ia58425ab71c1472dd2f2dd31dae000ca29d0bcb2
|
|
|
|
|
|
|
|
| |
This avoids a race condition where someone can change a symlink
target after the security checks have passed.
Bug: 26211054
Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
|
|
|
|
|
| |
Bug: 22718722
Change-Id: I9c054956c3b3655332475607d6919dc34515e550
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Normally apps must hold the WRITE_EXTERNAL_STORAGE permission in
order to use DownloadManager. However, now that the platform has
relaxed permissions on package-specific directories, we relax the
DownloadManager check in a similar way. This also opens up using
DownloadManager to save files on secondary external storage devices.
Fix bug so that we now check the relevant volume state when thinking
about resuming a download.
Bug: 22135060
Change-Id: If439340ea48789ea167f49709b5b69a4f0883150
|
|
|
|
|
|
|
|
|
|
| |
The onCreate() method [where we initialize the handler] runs on the
main thread. This means the ParcelFileDescriptor also runs tasks
involving disk access on the main thread. We need to create a
separate thread to run the Content Provider's handler.
Bug: 19718299
Change-Id: Ia3661fafd3442ad6260f04253ba24ddf83b176b2
|
|
|
|
|
|
|
| |
Otherwise they're orphaned until the next idle maintenance pass.
Bug: 21786983
Change-Id: I6eb2240d657366b65482bd3a0d5683e5d34a541a
|
|
|
|
|
| |
Bug: 16822344
Change-Id: Ib90e171cbb7babc7a3eea59de5cb899c79fadf94
|
|
|
|
|
|
|
|
| |
Kicks off media scanner after files are written, usually through a
DocumentsProvider.
Bug: 13557203
Change-Id: I4e29b778b4e19a217f60c1e415c4d814724752d3
|
|\
| |
| |
| |
| | |
* commit 'f04a7690b53288c98c07e0aa05214cceebea1331':
Avoid leaking cursors
|
| |
| |
| |
| |
| |
| |
| | |
Adding try/finally blocks to make sure that cursor
resources are let go
Change-Id: I596074aa9ab5752f91a26b5a03e1f39c23c64a5f
|
|\|
| |
| |
| | |
Change-Id: I59df74b902c95299ae9adda2ddddb6bad4260159
|
| |
| |
| |
| |
| |
| |
| |
| | |
It is not necessary/useful to place this directory into a separate
type from other app data files, so remove this restorecon.
Change-Id: Iabd643a515c134ab2a62e82866a3f72530f795ba
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Periodically reconcile database against disk contents. This handles
the case where a user/app deletes files directly from disk without
updating the database, and the rare case where a database delete
didn't make it to deleting the underlying file.
Also cleans up any downloads belonging to a UID when removed.
Bug: 12924143
Change-Id: I4899d09df7ef71f2625491ac01ceeafa8a2013ce
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Change all data transfer to occur through FileDescriptors instead of
relying on local files. This paves the way for downloading directly
to content:// Uris in the future.
Rewrite storage management logic to preflight download when size is
known. If enough space is found, immediately reserve the space with
fallocate(), advising the kernel block allocator to try giving us a
contiguous block regions to reduce fragmentation. When preflighting
on internal storage or emulated external storage, ask PackageManager
to clear private app caches to free up space.
Since we fallocate() the entire file, use the database as the source
of truth for resume locations, which requires that we fsync() before
each database update.
Store in-progress downloads in separate directories to keep the OS
from deleting out from under us. Clean up filename generation logic
to break ties in this new dual-directory case.
Clearer enforcement of successful download preconditions around
content lengths and ETags. Move all database field mutations to
clearer DownloadInfoDelta object, and write back through single
code path.
Catch and log uncaught exceptions from DownloadThread. Tests to
verify new storage behaviors. Fixed existing test to reflect correct
RFC behavior.
Bug: 5287571, 3213677, 12663412
Change-Id: I6bb905eca7c7d1a6bc88df3db28b65d70f660221
|
| |
| |
| |
| |
| | |
This reverts commit 4f9d2d04003fafb358d7c127054055b3a9732c9b, was only
wanted for debugging.
|
|/
|
|
|
|
|
|
| |
Try to catch the download provider in the act of deleting pending
system updates.
Bug: 12680933
Change-Id: If58aba5c30fd624217e5d073730645af05e98ac7
|
|
|
|
|
|
|
|
|
| |
insert() was trying to be too clever, and it would end up delaying
the media scanner until the next download happened. This resulted
in duplicate photos in DocumentsUI.
Bug: 11081685
Change-Id: Ic9549ede38118372849119dd3a21415a4723e9f5
|
|
|
|
|
| |
Bug: 10943812
Change-Id: Ib0cb3e608c1f40a2e2fcd6e493c8f920d8b4221b
|
|
|
|
|
|
|
|
| |
When deleting downloads, revoke any Uri permission grants, which
removes from getPersistedUriPermissions().
Bug: 10928851
Change-Id: I3e90c4071385832dcb3e0cf9ca3fdccafbe30037
|
|
|
|
|
|
|
|
|
|
|
| |
Add column to mark downloads as being writable, and allow documents
to be created under Downloads backend. Update database when writing
is finished, and generate unique filenames when they already exist.
Check canonical path on incoming _DATA paths.
Bug: 10667164, 10892621, 10893268
Change-Id: I8c203b96ff042a895b58686903fcd07fc755a00f
|
|
|
|
| |
Change-Id: I4839fd07abdd1c6b866f1d94dc36567df047e30c
|
|
|
|
|
|
|
|
|
| |
The lifetime of DownloadService can be limited, and it's often
missing from bugreports. The provider has a much longer lifetime,
so have it dump raw data about recent downloads.
Bug: 7350685
Change-Id: I55c9d602d77014ea27820936f1cf5c8ad24f286a
|
|
|
|
|
|
|
|
| |
Now the final errors are always thrown, and the outer code decides
how to handle them as retries. Also clean up method signatures.
Bug: 8022478
Change-Id: I4e7e43be793294ab837370df521e7c381e0bb6c3
|
|
|
|
|
|
|
| |
Now DownloadService creates and owns the lifecycle of its own
StorageManager instance.
Change-Id: I8f6bedc02f1dbe610a8e6a25d55383a12716d344
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to using new inbox-style notifications when collapsing multiple
downloads. Correctly handles clustering, including cancellation of
stale notifications. All notifications are now handled in a single
class, making it easier to reason about correctness.
Fixed bugs around handling of visibility flags. Move away from using
"int" as internal keys, since they can overflow. Started work for
time estimates, will finish in a future CL.
Explicitly pass all relevant IDs to DownloadReceiver instead of doing
a second racy query. Fix StrictMode warnings when querying in
DownloadReceiver.
Bug: 6777872, 5463678, 6663547, 6967346, 6634261, 5608365
Change-Id: I5eb47b73b90b6250acec2ce5bf8d7a274ed9d3a9
|
|
|
|
|
| |
Bug: 6358473
Change-Id: Ied4a6c8194d0cbb735e43cf7d7759f4674efe535
|
|
|
|
|
|
|
|
|
|
|
|
| |
Include flag with each download to indicate if its allowed to proceed
over metered networks. Downloads are left in WAITING_FOR_NETWORK
state, similar to how ALLOWED_NETWORK_TYPES is handled.
Also keep blocked downloads in WAITING_FOR_NETWORK state instead
of marking them as failed.
Bug: 3001465, 5734560
Change-Id: I80bb9aa9bd25ddf6f7a2472db344b6ba6878bd74
|
|
|
|
|
|
|
|
|
| |
When viewing file://-style downloads, open through DownloadsProvider
so that FLAG_GRANT_READ_URI_PERMISSION works. Add support for
OpenableColumns to support external apps probing for metadata.
Bug: 6343461
Change-Id: I630405406321ea1871c62cbcded55a4ee024ef6e
|
|
|
|
|
| |
Bug: 5606426
Change-Id: I9b9cee142c360da2a30a4bb8be8dcf40b8c7e43e
|
|
|
|
|
| |
Bug: 5449870
Change-Id: I3219273be9b796b123545c811e5f39fa83b5768e
|
|
|
|
|
|
| |
Bug: 5010576
Change-Id: I2f9bcad41cf50ed0b17dd487d0389f7b38500fd7
|
|
|
|
|
|
|
|
| |
Updates list of allowed visibility values to enable Request builders
to use Request.VISIBILITY_VISIBLE_NOTIFY_COMPLETED.
Bug: 4283223
Change-Id: I8ebe4a13f95a58f25f6025946a6d4725261717f2
|
|
|
|
| |
Change-Id: I6192a829c7cac86c55a0f67364ebd722504d5dc7
|
|
|
|
| |
Change-Id: I9f9f6f2e0b2bd18f3767574fc51301b75bb1b76d
|
|\
| |
| |
| |
| |
| |
| | |
don\'t check mobile download limits"
* commit '6e9abd8e04c4aaafb8493a25efc34f4dd4fa6013':
Revert "bug:3414192 if otaupdate column is set, don't check mobile download limits"
|
| |
| |
| |
| |
| |
| | |
limits"
This reverts commit ea245800c69d6bc10dc2680e6a242f59e9cb49b6.
|
|\|
| |
| |
| |
| |
| |
| | |
flag set, validate caller\'s perms" into honeycomb"
* commit '49663f1ffe58a546fb0d2ab84898843ef5e89eb5':
Revert "Merge "bug:3341145 if ignore_size_limits flag set, validate caller's perms" into honeycomb"
|
| |
| |
| |
| |
| |
| |
| | |
perms" into honeycomb"
This reverts commit 3e7bb1c5d7e7d1a013df959c1a6947b33df0a0fd, reversing
changes made to b2085f61b37ad4a70c799012f25ff62a38173f68.
|
|\|
| |
| |
| |
| | |
* commit 'afefa43d9919f9284885f7080111c54a50c4fc90':
Revert "bug:3420722"
|
| |
| |
| |
| | |
This reverts commit 1cccc19b596f168ed34126db38b046ab164e063b.
|
|\|
| |
| |
| | |
Change-Id: I477599f16db5ea64e4fbc4d2be68dcedf2c80269
|
| |
| |
| |
| | |
Change-Id: Id40d2dbbefe5fa2546f8c5231be5f7fe9a7b43d6
|
|\|
| |
| |
| | |
Change-Id: I27a615509269f256cf66de2dd217d8c4667caab4
|
| |
| |
| |
| |
| |
| | |
and then of course ignore the mobile network size limits
Change-Id: I6765be9255187f93bd51acecc19a15db4f324204
|
| |
| |
| |
| |
| |
| |
| | |
Prevents null pointer exception when using
DownloadManager.completedDownload
Change-Id: I53859705c5e925f2320491451e41a631e4fed715
|
|\|
| |
| |
| |
| |
| |
| | |
check mobile download limits
* commit '8db8fba215a981edd24ad1f7118d3397be0114d2':
bug:3414192 if otaupdate column is set, don't check mobile download limits
|