Better definition of "system" as "self".
Over the last few years, we established a clear boundary between
third-party apps and "system" internals, so that we could start
tracking down all hidden API usages.
As part of becoming a Mainline module in Android R, we need to
reduce this boundary even further to make it clear that the only
component able to use hidden API details is the MediaProvider
itself.
If we didn't have this enforcement in place, we'd slowly build up
land mines of hidden API usage by still-bundled system components
that would prevent us from being able to safely deploy Mainline
updates in the future.
This change adjusts the existing "backup" feature to become a
more general-purpose "delegator" permission, which better matches
what system apps are trying to do: they're simply interested in
shifting ownership of an existing media item to another package.
This use-case blends nicely with the existing UPDATE_DEVICE_STATS
permission, which is designed for shifting blame/ownership of
things like CPU and network traffic to other apps, and thankfully
DownloadManager already holds this permission, so this gives us
a nice clean way of keeping DownloadManager working.
Fixes a few additional bugs where the shell and delegators should
be able to perform certain tasks.
Bug: 155347675
Test: atest --test-mapping packages/providers/MediaProvider
Test: atest --test-mapping packages/providers/DownloadProvider
Change-Id: I7b1759642466ae64d6d643716743cfdb7136916b
6 files changed
