summaryrefslogtreecommitdiffstats
path: root/src/com/android/providers/downloads/DownloadProvider.java
Commit message (Collapse)AuthorAgeFilesLines
* DO NOT MERGE Deleting downloads for removed uids on downloadprovider startreplicant-6.0-0002Suprabh Shukla2017-07-061-10/+45
| | | | | | | | | | | | | | | | | | | | | | | After uninstalling an app, if the system was shutdown before the download provider received the broadcast for UID_REMOVED, another app installed later in the same uid might be able to gain access to the files downloaded by this app. Removing any such hanging downloads at the start up of the download provider should fix this issue. Test: Manually tested by uninstalling an app and killing and restarting the process android.process.media, to check that the downloaded files of the uninstalled app were deleted. Bug:22011579 Merged in: I7382c4846f99035b40412a01715aee5873efa9e6 AOSP-Change-Id: I7382c4846f99035b40412a01715aee5873efa9e6 (cherry picked from commit 2ab9a2d15c63cd567805adb8fa4b9c524afc5ceb) (cherry picked from commit 3b15466b3cb6207660a73d1cea44a2d018ada23f) CVE-2017-0668 Change-Id: I8c5fee862185b958a539c7489443480c5c65ace6
* Enforce calling identity before clearing.Jeff Sharkey2016-09-271-0/+44
| | | | | | | | | | | | | | | | | | | | | When opening a downloaded file, enforce that the caller can actually see the requested download before clearing their identity to read internal columns. However, this means that we can no longer return the "my_downloads" paths: if those Uris were shared beyond the app that requested the download, access would be denied. Instead, we need to switch to using "all_downloads" Uris so that permission grants can be issued to third-party viewer apps. Since an app requesting a download doesn't normally have permission to "all_downloads" paths, we issue narrow grants toward the owner of each download, both at device boot and when new downloads are started. Bug: 30537115, 30945409 Change-Id: If944aada020878a91c363963728d0da9f6fae3ea (cherry picked from commit 7c1af8c62c8bdf6e8de5a00c1927daf9fd9c03d1)
* Revert "Enforce calling identity before clearing."Adam Seaton2016-08-261-13/+0
| | | | | | | This reverts commit 8be3a92eb0b4105a9ed748be5a937ce79145f565. Change-Id: I10401d57239b868f8e3514f81a0e20486838e29c (cherry picked from commit b440ceb00fd46c9233723066c680a538067fbf82)
* Enforce calling identity before clearing.Jeff Sharkey2016-08-251-0/+13
| | | | | | | | | | When opening a downloaded file, enforce that the caller can actually see the requested download before clearing their identity to read internal columns. Bug: 30537115 Change-Id: I01bbad7997e5e908bfb19f5d576860a24f59f295 (cherry picked from commit 8be3a92eb0b4105a9ed748be5a937ce79145f565)
* DO NOT MERGE. Use resolved path when inserting and deleting.Jeff Sharkey2016-02-261-5/+15
| | | | | | | | This avoids a race condition where someone can change a symlink target after the security checks have passed. Bug: 26211054 Change-Id: Ia58425ab71c1472dd2f2dd31dae000ca29d0bcb2
* Use resolved path for both checking and opening.Jeff Sharkey2016-02-261-2/+8
| | | | | | | | This avoids a race condition where someone can change a symlink target after the security checks have passed. Bug: 26211054 Change-Id: I5842aaecc7b7d417a3b1902957b59b8a1f3c1ccb
* Switch to proxy variants of app-ops calls.Jeff Sharkey2015-07-241-2/+2
| | | | | Bug: 22718722 Change-Id: I9c054956c3b3655332475607d6919dc34515e550
* Relax permissions on package-specific paths.Jeff Sharkey2015-07-141-14/+33
| | | | | | | | | | | | | | Normally apps must hold the WRITE_EXTERNAL_STORAGE permission in order to use DownloadManager. However, now that the platform has relaxed permissions on package-specific directories, we relax the DownloadManager check in a similar way. This also opens up using DownloadManager to save files on secondary external storage devices. Fix bug so that we now check the relevant volume state when thinking about resuming a download. Bug: 22135060 Change-Id: If439340ea48789ea167f49709b5b69a4f0883150
* Create a handler threadTodd Kennedy2015-06-191-1/+5
| | | | | | | | | | The onCreate() method [where we initialize the handler] runs on the main thread. This means the ParcelFileDescriptor also runs tasks involving disk access on the main thread. We need to create a separate thread to run the Content Provider's handler. Bug: 19718299 Change-Id: Ia3661fafd3442ad6260f04253ba24ddf83b176b2
* Actually delete files when rows are deleted.Jeff Sharkey2015-06-161-5/+12
| | | | | | | Otherwise they're orphaned until the next idle maintenance pass. Bug: 21786983 Change-Id: I6eb2240d657366b65482bd3a0d5683e5d34a541a
* Whoops, clear identity to get internal columns.Jeff Sharkey2014-08-051-1/+11
| | | | | Bug: 16822344 Change-Id: Ib90e171cbb7babc7a3eea59de5cb899c79fadf94
* Scan after writing download files.Jeff Sharkey2014-08-051-18/+41
| | | | | | | | Kicks off media scanner after files are written, usually through a DocumentsProvider. Bug: 13557203 Change-Id: I4e29b778b4e19a217f60c1e415c4d814724752d3
* am f04a7690: am 90e7485d: am 02562d30: Merge "Avoid leaking cursors"Jeff Sharkey2014-05-101-20/+30
|\ | | | | | | | | * commit 'f04a7690b53288c98c07e0aa05214cceebea1331': Avoid leaking cursors
| * Avoid leaking cursorsMattias Nilsson2014-04-011-20/+30
| | | | | | | | | | | | | | Adding try/finally blocks to make sure that cursor resources are let go Change-Id: I596074aa9ab5752f91a26b5a03e1f39c23c64a5f
* | resolved conflicts for merge of 2ca55fd3 to masterNick Kralevich2014-03-141-6/+0
|\| | | | | | | Change-Id: I59df74b902c95299ae9adda2ddddb6bad4260159
| * Drop restorecon call from DownloadProvider.Stephen Smalley2014-03-121-6/+0
| | | | | | | | | | | | | | | | It is not necessary/useful to place this directory into a separate type from other app data files, so remove this restorecon. Change-Id: Iabd643a515c134ab2a62e82866a3f72530f795ba Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* | Add idle service to clean orphan downloads.Jeff Sharkey2014-02-061-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | Periodically reconcile database against disk contents. This handles the case where a user/app deletes files directly from disk without updating the database, and the rare case where a database delete didn't make it to deleting the underlying file. Also cleans up any downloads belonging to a UID when removed. Bug: 12924143 Change-Id: I4899d09df7ef71f2625491ac01ceeafa8a2013ce
* | Many improvements to download storage management.Jeff Sharkey2014-02-061-10/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Change all data transfer to occur through FileDescriptors instead of relying on local files. This paves the way for downloading directly to content:// Uris in the future. Rewrite storage management logic to preflight download when size is known. If enough space is found, immediately reserve the space with fallocate(), advising the kernel block allocator to try giving us a contiguous block regions to reduce fragmentation. When preflighting on internal storage or emulated external storage, ask PackageManager to clear private app caches to free up space. Since we fallocate() the entire file, use the database as the source of truth for resume locations, which requires that we fsync() before each database update. Store in-progress downloads in separate directories to keep the OS from deleting out from under us. Clean up filename generation logic to break ties in this new dual-directory case. Clearer enforcement of successful download preconditions around content lengths and ETags. Move all database field mutations to clearer DownloadInfoDelta object, and write back through single code path. Catch and log uncaught exceptions from DownloadThread. Tests to verify new storage behaviors. Fixed existing test to reflect correct RFC behavior. Bug: 5287571, 3213677, 12663412 Change-Id: I6bb905eca7c7d1a6bc88df3db28b65d70f660221
* | Revert "change download provider to use system log"Doug Zongker2014-01-271-26/+26
| | | | | | | | | | This reverts commit 4f9d2d04003fafb358d7c127054055b3a9732c9b, was only wanted for debugging.
* | change download provider to use system logDoug Zongker2014-01-271-26/+26
|/ | | | | | | | Try to catch the download provider in the act of deleting pending system updates. Bug: 12680933 Change-Id: If58aba5c30fd624217e5d073730645af05e98ac7
* Always update notifications, media scanner.Jeff Sharkey2013-10-041-16/+5
| | | | | | | | | insert() was trying to be too clever, and it would end up delaying the media scanner until the next download happened. This resulted in duplicate photos in DocumentsUI. Bug: 11081685 Change-Id: Ic9549ede38118372849119dd3a21415a4723e9f5
* Allow all downloads to be writable.Jeff Sharkey2013-10-011-19/+3
| | | | | Bug: 10943812 Change-Id: Ib0cb3e608c1f40a2e2fcd6e493c8f920d8b4221b
* Revoke grants when downloads are deleted.Jeff Sharkey2013-09-261-0/+13
| | | | | | | | When deleting downloads, revoke any Uri permission grants, which removes from getPersistedUriPermissions(). Bug: 10928851 Change-Id: I3e90c4071385832dcb3e0cf9ca3fdccafbe30037
* Allow saving to Downloads.Jeff Sharkey2013-09-231-9/+46
| | | | | | | | | | | Add column to mark downloads as being writable, and allow documents to be created under Downloads backend. Update database when writing is finished, and generate unique filenames when they already exist. Check canonical path on incoming _DATA paths. Bug: 10667164, 10892621, 10893268 Change-Id: I8c203b96ff042a895b58686903fcd07fc755a00f
* Restore the appropriate SELinux context to the downloads dir.Geremy Condra2013-04-041-2/+7
| | | | Change-Id: I4839fd07abdd1c6b866f1d94dc36567df047e30c
* Dump recent downloads from provider.Jeff Sharkey2013-01-301-1/+41
| | | | | | | | | The lifetime of DownloadService can be limited, and it's often missing from bugreports. The provider has a much longer lifetime, so have it dump raw data about recent downloads. Bug: 7350685 Change-Id: I55c9d602d77014ea27820936f1cf5c8ad24f286a
* Better handling of retryable errors.Jeff Sharkey2013-01-171-1/+1
| | | | | | | | Now the final errors are always thrown, and the outer code decides how to handle them as retries. Also clean up method signatures. Bug: 8022478 Change-Id: I4e7e43be793294ab837370df521e7c381e0bb6c3
* Remove singleton StorageManager.Jeff Sharkey2013-01-051-1/+1
| | | | | | | Now DownloadService creates and owns the lifecycle of its own StorageManager instance. Change-Id: I8f6bedc02f1dbe610a8e6a25d55383a12716d344
* Rewrite of download notifications.Jeff Sharkey2012-11-091-8/+3
| | | | | | | | | | | | | | | | | | Switch to using new inbox-style notifications when collapsing multiple downloads. Correctly handles clustering, including cancellation of stale notifications. All notifications are now handled in a single class, making it easier to reason about correctness. Fixed bugs around handling of visibility flags. Move away from using "int" as internal keys, since they can overflow. Started work for time estimates, will finish in a future CL. Explicitly pass all relevant IDs to DownloadReceiver instead of doing a second racy query. Fix StrictMode warnings when querying in DownloadReceiver. Bug: 6777872, 5463678, 6663547, 6967346, 6634261, 5608365 Change-Id: I5eb47b73b90b6250acec2ce5bf8d7a274ed9d3a9
* Report MIME type for individual downloads.Jeff Sharkey2012-04-191-5/+8
| | | | | Bug: 6358473 Change-Id: Ied4a6c8194d0cbb735e43cf7d7759f4674efe535
* Add and enforce ALLOW_METERED column.Jeff Sharkey2012-04-171-1/+8
| | | | | | | | | | | | Include flag with each download to indicate if its allowed to proceed over metered networks. Downloads are left in WAITING_FOR_NETWORK state, similar to how ALLOWED_NETWORK_TYPES is handled. Also keep blocked downloads in WAITING_FOR_NETWORK state instead of marking them as failed. Bug: 3001465, 5734560 Change-Id: I80bb9aa9bd25ddf6f7a2472db344b6ba6878bd74
* View file downloads through DownloadsProvider.Jeff Sharkey2012-04-171-4/+26
| | | | | | | | | When viewing file://-style downloads, open through DownloadsProvider so that FLAG_GRANT_READ_URI_PERMISSION works. Add support for OpenableColumns to support external apps probing for metadata. Bug: 6343461 Change-Id: I630405406321ea1871c62cbcded55a4ee024ef6e
* Use UID instead of PID.Jeff Sharkey2011-11-111-1/+1
| | | | | Bug: 5606426 Change-Id: I9b9cee142c360da2a30a4bb8be8dcf40b8c7e43e
* Check canonical path when download requested.Jeff Sharkey2011-10-121-4/+10
| | | | | Bug: 5449870 Change-Id: I3219273be9b796b123545c811e5f39fa83b5768e
* Eliminate single-process mode.Jeff Brown2011-07-081-2/+1
| | | | | | Bug: 5010576 Change-Id: I2f9bcad41cf50ed0b17dd487d0389f7b38500fd7
* Allow VISIBLE_NOTIFY_COMPLETED on Request.Jeff Sharkey2011-04-131-4/+8
| | | | | | | | Updates list of allowed visibility values to enable Request builders to use Request.VISIBILITY_VISIBLE_NOTIFY_COMPLETED. Bug: 4283223 Change-Id: I8ebe4a13f95a58f25f6025946a6d4725261717f2
* bug:3513950 fix the commentsVasu Nori2011-03-071-6/+6
| | | | Change-Id: I6192a829c7cac86c55a0f67364ebd722504d5dc7
* bug:3425749 if adding completed download to db, send completion notifVasu Nori2011-02-101-8/+27
| | | | Change-Id: I9f9f6f2e0b2bd18f3767574fc51301b75bb1b76d
* am 6e9abd8e: am d119d3cb: Revert "bug:3414192 if otaupdate column is set, ↵Vasu Nori2011-02-031-10/+0
|\ | | | | | | | | | | | | don\'t check mobile download limits" * commit '6e9abd8e04c4aaafb8493a25efc34f4dd4fa6013': Revert "bug:3414192 if otaupdate column is set, don't check mobile download limits"
| * Revert "bug:3414192 if otaupdate column is set, don't check mobile download ↵Vasu Nori2011-02-031-10/+0
| | | | | | | | | | | | limits" This reverts commit ea245800c69d6bc10dc2680e6a242f59e9cb49b6.
* | am 49663f1f: am f20af912: Revert "Merge "bug:3341145 if ignore_size_limits ↵Vasu Nori2011-02-031-9/+5
|\| | | | | | | | | | | | | flag set, validate caller\'s perms" into honeycomb" * commit '49663f1ffe58a546fb0d2ab84898843ef5e89eb5': Revert "Merge "bug:3341145 if ignore_size_limits flag set, validate caller's perms" into honeycomb"
| * Revert "Merge "bug:3341145 if ignore_size_limits flag set, validate caller's ↵Vasu Nori2011-02-031-9/+5
| | | | | | | | | | | | | | perms" into honeycomb" This reverts commit 3e7bb1c5d7e7d1a013df959c1a6947b33df0a0fd, reversing changes made to b2085f61b37ad4a70c799012f25ff62a38173f68.
* | am afefa43d: am cac5bbb5: Revert "bug:3420722"Vasu Nori2011-02-031-1/+0
|\| | | | | | | | | * commit 'afefa43d9919f9284885f7080111c54a50c4fc90': Revert "bug:3420722"
| * Revert "bug:3420722"Vasu Nori2011-02-031-1/+0
| | | | | | | | This reverts commit 1cccc19b596f168ed34126db38b046ab164e063b.
* | resolved conflicts for merge of 73642748 to masterVasu Nori2011-02-031-1/+1
|\| | | | | | | Change-Id: I477599f16db5ea64e4fbc4d2be68dcedf2c80269
| * bug:3420722Vasu Nori2011-02-031-0/+1
| | | | | | | | Change-Id: Id40d2dbbefe5fa2546f8c5231be5f7fe9a7b43d6
* | resolved conflicts for merge of 43d649e9 to masterVasu Nori2011-02-021-5/+9
|\| | | | | | | Change-Id: I27a615509269f256cf66de2dd217d8c4667caab4
| * bug:3341145 if ignore_size_limits flag set, validate caller's permsVasu Nori2011-02-021-5/+9
| | | | | | | | | | | | and then of course ignore the mobile network size limits Change-Id: I6765be9255187f93bd51acecc19a15db4f324204
* | Check for null before accessing pckg.Leon Scroggins2011-02-021-1/+1
| | | | | | | | | | | | | | Prevents null pointer exception when using DownloadManager.completedDownload Change-Id: I53859705c5e925f2320491451e41a631e4fed715
* | am 8db8fba2: am ea245800: bug:3414192 if otaupdate column is set, don\'t ↵Vasu Nori2011-02-011-0/+10
|\| | | | | | | | | | | | | check mobile download limits * commit '8db8fba215a981edd24ad1f7118d3397be0114d2': bug:3414192 if otaupdate column is set, don't check mobile download limits
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 19:47:04 +0000