Add APIs for interacting across users.

- Expose the existing Context.sendBroadcast() as
  Context.sendBroadcastAsUser().
- Add new android:singleUser attribute for services.
- Add new INTERACT_ACROSS_USERS_FULL permission for full
  system-level access to cross-user interface (allows
  sendBroadcastAsUser() to send to any receiver).
- Add new INTERACT_ACROSS_USERS_FULL permission for
  more restricted cross-user interaction: this is required
  for android:singleUser, and allows you to use
  sendBroadcastAsUser() but only to send to your own
  receivers.

Change-Id: I0de88f6718e9505f4de72e3f45d29c0f503b76e9

Author: Dianne Hackborn

api/current.txt

@@ -62,6 +62,7 @@ package android {
     field public static final java.lang.String INJECT_EVENTS = "android.permission.INJECT_EVENTS";
     field public static final java.lang.String INSTALL_LOCATION_PROVIDER = "android.permission.INSTALL_LOCATION_PROVIDER";
     field public static final java.lang.String INSTALL_PACKAGES = "android.permission.INSTALL_PACKAGES";
+    field public static final java.lang.String INTERACT_ACROSS_USERS = "android.permission.INTERACT_ACROSS_USERS";
     field public static final java.lang.String INTERNAL_SYSTEM_WINDOW = "android.permission.INTERNAL_SYSTEM_WINDOW";
     field public static final java.lang.String INTERNET = "android.permission.INTERNET";
     field public static final java.lang.String KILL_BACKGROUND_PROCESSES = "android.permission.KILL_BACKGROUND_PROCESSES";
@@ -893,6 +894,7 @@ package android {
     field public static final int shownWeekCount = 16843585; // 0x1010341
     field public static final int shrinkColumns = 16843082; // 0x101014a
     field public static final deprecated int singleLine = 16843101; // 0x101015d
+    field public static final int singleUser = 16843711; // 0x10103bf
     field public static final int smallIcon = 16843422; // 0x101029e
     field public static final int smallScreens = 16843396; // 0x1010284
     field public static final int smoothScrollbar = 16843313; // 0x1010231
@@ -5317,6 +5319,7 @@ package android.content {
     method public abstract void revokeUriPermission(android.net.Uri, int);
     method public abstract void sendBroadcast(android.content.Intent);
     method public abstract void sendBroadcast(android.content.Intent, java.lang.String);
+    method public void sendBroadcastToUser(android.content.Intent, int);
     method public abstract void sendOrderedBroadcast(android.content.Intent, java.lang.String);
     method public abstract void sendOrderedBroadcast(android.content.Intent, java.lang.String, android.content.BroadcastReceiver, android.os.Handler, int, java.lang.String, android.os.Bundle);
     method public abstract void sendStickyBroadcast(android.content.Intent);
@@ -6700,6 +6703,7 @@ package android.content.pm {
     method public void dump(android.util.Printer, java.lang.String);
     field public static final android.os.Parcelable.Creator CREATOR;
     field public static final int FLAG_ISOLATED_PROCESS = 2; // 0x2
+    field public static final int FLAG_SINGLE_USER = 4; // 0x4
     field public static final int FLAG_STOP_WITH_TASK = 1; // 0x1
     field public int flags;
     field public java.lang.String permission;

core/java/android/accounts/AccountManagerService.java

@@ -896,7 +896,7 @@ private void setPasswordInternal(UserAccounts accounts, Account account, String
     private void sendAccountsChangedBroadcast(int userId) {
         Log.i(TAG, "the accounts changed, sending broadcast of "
                 + ACCOUNTS_CHANGED_INTENT.getAction());
-        mContext.sendBroadcast(ACCOUNTS_CHANGED_INTENT, userId);
+        mContext.sendBroadcastToUser(ACCOUNTS_CHANGED_INTENT, userId);
     }
 
     public void clearPassword(Account account) {

core/java/android/app/ContextImpl.java

@@ -966,9 +966,8 @@ public void sendBroadcast(Intent intent) {
         }
     }
 
-    /** @hide */
     @Override
-    public void sendBroadcast(Intent intent, int userId) {
+    public void sendBroadcastToUser(Intent intent, int userId) {
         String resolvedType = intent.resolveTypeIfNeeded(getContentResolver());
         try {
             intent.setAllowFds(false);

core/java/android/content/Context.java

@@ -988,12 +988,14 @@ public abstract void startIntentSender(IntentSender intent,
     public abstract void sendBroadcast(Intent intent);
 
     /**
-     * Same as #sendBroadcast(Intent intent), but for a specific user. Used by the system only.
+     * Same as #sendBroadcast(Intent intent), but for a specific user.  This broadcast
+     * can only be sent to receivers that are part of the calling application.  It
+     * requires holding the {@link android.Manifest.permission#INTERACT_ACROSS_USERS}
+     * permission.
      * @param intent the intent to broadcast
      * @param userId user to send the intent to
-     * @hide
      */
-    public void sendBroadcast(Intent intent, int userId) {
+    public void sendBroadcastToUser(Intent intent, int userId) {
         throw new RuntimeException("Not implemented. Must override in a subclass.");
     }
 

core/java/android/content/ContextWrapper.java

@@ -312,10 +312,9 @@ public void sendBroadcast(Intent intent) {
         mBase.sendBroadcast(intent);
     }
 
-    /** @hide */
     @Override
-    public void sendBroadcast(Intent intent, int userId) {
-        mBase.sendBroadcast(intent, userId);
+    public void sendBroadcastToUser(Intent intent, int userId) {
+        mBase.sendBroadcastToUser(intent, userId);
     }
 
     @Override

core/java/android/content/pm/PackageParser.java

@@ -2703,7 +2703,7 @@ private Service parseService(Package owner, Resources res,
             return null;
         }
 
-        final boolean setExported = sa.hasValue(
+        boolean setExported = sa.hasValue(
                 com.android.internal.R.styleable.AndroidManifestService_exported);
         if (setExported) {
             s.info.exported = sa.getBoolean(
@@ -2729,6 +2729,18 @@ private Service parseService(Package owner, Resources res,
                 false)) {
             s.info.flags |= ServiceInfo.FLAG_ISOLATED_PROCESS;
         }
+        if (sa.getBoolean(
+                com.android.internal.R.styleable.AndroidManifestService_singleUser,
+                false)) {
+            s.info.flags |= ServiceInfo.FLAG_SINGLE_USER;
+            if (s.info.exported) {
+                Slog.w(TAG, "Service exported request ignored due to singleUser: "
+                        + s.className + " at " + mArchiveSourcePath + " "
+                        + parser.getPositionDescription());
+                s.info.exported = false;
+            }
+            setExported = true;
+        }
 
         sa.recycle();
 

core/java/android/content/pm/ServiceInfo.java

@@ -48,6 +48,13 @@ public class ServiceInfo extends ComponentInfo
      */
     public static final int FLAG_ISOLATED_PROCESS = 0x0002;
 
+    /**
+     * Bit in {@link #flags}: If set, a single instance of the service will
+     * run for all users on the device.  Set from the
+     * {@link android.R.attr#singleUser} attribute.
+     */
+    public static final int FLAG_SINGLE_USER = 0x0004;
+
     /**
      * Options that have been set in the service declaration in the
      * manifest.

core/res/AndroidManifest.xml

@@ -760,6 +760,25 @@
         android:label="@string/permlab_getTasks"
         android:description="@string/permdesc_getTasks" />
 
+    <!-- Allows an application to call APIs that allow it to do interactions
+         across the users on the device, using singleton services and
+         user-targeted broadcasts.  This permission is not available to
+         third party applications. -->
+    <permission android:name="android.permission.INTERACT_ACROSS_USERS"
+        android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
+        android:protectionLevel="signature|system|development"
+        android:label="@string/permlab_interactAcrossUsers"
+        android:description="@string/permdesc_interactAcrossUsers" />
+
+    <!-- @hide Fuller form of {@link android.Manifest.permission#INTERACT_ACROSS_USERS}
+         that removes restrictions on where broadcasts can be sent and allows other
+         types of interactions. -->
+    <permission android:name="android.permission.INTERACT_ACROSS_USERS_FULL"
+        android:permissionGroup="android.permission-group.SYSTEM_TOOLS"
+        android:protectionLevel="signature"
+        android:label="@string/permlab_interactAcrossUsersFull"
+        android:description="@string/permdesc_interactAcrossUsersFull" />
+
     <!-- Allows an application to get full detailed information about
          recently running tasks, with full fidelity to the real state.
          @hide -->

core/res/res/values/attrs_manifest.xml

@@ -1275,6 +1275,16 @@
              that is isolated from the rest of the system.  The only communication
              with it is through the Service API (binding and starting). -->
         <attr name="isolatedProcess" format="boolean" />
+        <!-- If set to true, a single instance of this service will run for
+             all users.  That instance will run as user 0, the default/primary
+             user.  When the app running in processes for other users interacts
+             with this service (by binding to it, starting it, etc) they will
+             always interact with the instance running for user 0.  Enabling
+             single user mode forces "exported" of the service to be false, to
+             avoid introducing multi-user security bugs.  You must hold the
+             permission {@link android.Manifest.permission#INTERACT_ACROSS_USERS} in order
+             to use this feature. -->
+        <attr name="singleUser" format="boolean" />
     </declare-styleable>
 
     <!-- The <code>receiver</code> tag declares an

core/res/res/values/public.xml

@@ -3660,7 +3660,7 @@
   <public type="style" name="Widget.DeviceDefault.Light.MediaRouteButton" id="0x010301d8" />
 
 <!-- ===============================================================
-     Resources added in version 17 of the platform (Jelly Bean MRx?)
+     Resources added in version 17 of the platform (Jelly Bean MR1)
      =============================================================== -->
   <eat-comment />
   <public type="attr" name="supportsRtl" />
@@ -3679,5 +3679,6 @@
   <public type="attr" name="layout_alignParentEnd" />
   <public type="attr" name="listPreferredItemPaddingStart" />
   <public type="attr" name="listPreferredItemPaddingEnd" />
-
+  <public type="attr" name="singleUser" />
+  
 </resources>