Enforce calling identity before clearing.
Fix merge conflict into nyc-release
When opening a downloaded file, enforce that the caller can actually
see the requested download before clearing their identity to read
However, this means that we can no longer return the "my_downloads"
paths: if those Uris were shared beyond the app that requested the
download, access would be denied. Instead, we need to switch to
using "all_downloads" Uris so that permission grants can be issued
to third-party viewer apps.
Since an app requesting a download doesn't normally have permission
to "all_downloads" paths, we issue narrow grants toward the owner of
each download, both at device boot and when new downloads are
Bug: 30537115, 30945409
1 file changed