drgreen/android_frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_frameworks_base/services/java/com/android/server/BackupManagerService.java

5189 lines
230 KiB
Java
Raw Normal View History

First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
/*
* Copyright (C) 2009 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.server;
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
import android.app.ActivityManagerNative;
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
import android.app.AlarmManager;
Some ActivityThread/ActivityManager cleanup. - Move PackageInfo out of ActivityThread, renaming to LoadedApk. - Rename some of the other PacakgeInfo inner classes to better represent what they are. - Rename HistoryRecord to ActivityRecord. - Introduce AppGlobals, to eventually let ActivityThread become package scoped. Change-Id: Ib714c54ceb3cdbb525dce3db9505f31042e88cf0
2010-06-24 15:07:24 -07:00
import android.app.AppGlobals;
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
import android.app.IActivityManager;
import android.app.IApplicationThread;
import android.app.IBackupAgent;
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
import android.app.PendingIntent;
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
import android.app.backup.BackupAgent;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
import android.app.backup.BackupDataOutput;
import android.app.backup.FullBackup;
Revert "Remove the APIs for the old encryption scheme." This reverts commit 1125d780a8b61703b8eb28c5c77dac5f3f0022dd.
2011-01-13 14:15:43 -06:00
import android.app.backup.RestoreSet;
Refactor android.backup => android.app.backup Change-Id: I0b21316ff890d7f3c7d4b82837bb60670724c2e8
2010-03-05 15:46:30 -08:00
import android.app.backup.IBackupManager;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
import android.app.backup.IFullBackupRestoreObserver;
Refactor android.backup => android.app.backup Change-Id: I0b21316ff890d7f3c7d4b82837bb60670724c2e8
2010-03-05 15:46:30 -08:00
import android.app.backup.IRestoreObserver;
import android.app.backup.IRestoreSession;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
import android.content.ActivityNotFoundException;
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
import android.content.BroadcastReceiver;
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
import android.content.ComponentName;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.content.Context;
import android.content.Intent;
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
import android.content.IntentFilter;
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
import android.content.ServiceConnection;
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
import android.content.pm.ApplicationInfo;
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
import android.content.pm.IPackageDataObserver;
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
import android.content.pm.IPackageDeleteObserver;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
import android.content.pm.IPackageInstallObserver;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
import android.content.pm.IPackageManager;
Adjust IBackupTransport interface Instead of just passing a package name to performBackup, pass the whole PackageInfo struct, explicitly including the list of signatures for the package. No need to make each transport look this up individually when it's a necessary part of the backup payload for each app.
2009-06-07 13:52:37 -07:00
import android.content.pm.PackageInfo;
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
import android.content.pm.PackageManager;
Remove the APIs for the old encryption scheme. Change-Id: I55116a5b29b10dfd50015805ec019b485257f68b
2011-01-12 09:47:26 -06:00
import android.content.pm.Signature;
Revert "Remove the APIs for the old encryption scheme." This reverts commit 1125d780a8b61703b8eb28c5c77dac5f3f0022dd.
2011-01-13 14:15:43 -06:00
import android.content.pm.PackageManager.NameNotFoundException;
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
import android.net.Uri;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.os.Binder;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
import android.os.Build;
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
import android.os.Bundle;
Squashed commit of the following: Author: Christopher Tate <ctate@google.com> Date: Mon May 4 16:38:11 2009 -0700 IBackupService now passes ParcelFileDescriptors rather than int fds The outlines of backup state file / data file handling are now in place as well in the BackupManagerService. Author: Christopher Tate <ctate@google.com> Date: Thu Apr 30 12:40:19 2009 -0700 Hide the backup stuff for now Also adjust based on comments: + changed service intent string to conform to usage guidelines + only publish the IBackupService binder when invoked with the right intent action + docs tweaks
2009-05-04 16:41:53 -07:00
import android.os.Environment;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.os.Handler;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
import android.os.HandlerThread;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.os.IBinder;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
import android.os.Looper;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.os.Message;
Squashed commit of the following: Author: Christopher Tate <ctate@google.com> Date: Mon May 4 16:38:11 2009 -0700 IBackupService now passes ParcelFileDescriptors rather than int fds The outlines of backup state file / data file handling are now in place as well in the BackupManagerService. Author: Christopher Tate <ctate@google.com> Date: Thu Apr 30 12:40:19 2009 -0700 Hide the backup stuff for now Also adjust based on comments: + changed service intent string to conform to usage guidelines + only publish the IBackupService binder when invoked with the right intent action + docs tweaks
2009-05-04 16:41:53 -07:00
import android.os.ParcelFileDescriptor;
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
import android.os.PowerManager;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
import android.os.Process;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.os.RemoteException;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
import android.os.SystemClock;
Track client requests through location manager. This fixes a problem where applications could ask the location manager to do very heavy-weight things (like... say... update location every minute), which would get accounted against the system instead of the application because ultimately it is the system making the heavy calls (wake locks, etc). To solve this, we introduce a new class WorkSource representing the source of some work. Wake locks and Wifi locks allow you to set the source to use (but only if you are system code and thus can get the permission to do so), which is what will be reported to the battery stats until the actual caller. For the initial implementation, the location manager keeps track of all clients requesting periodic updates, and tells its providers about them as a WorkSource param when setting their min update time. The network location provider uses this to set the source on the wake and wifi locks it acquires, when doing work because of the update period. This should also be used elsewhere, such as in the GPS provider, but this is a good start. Change-Id: I2b6ffafad9e90ecf15d7c502e2db675fd52ae3cf
2010-09-10 18:43:00 -07:00
import android.os.WorkSource;
Encrypted File Systems Project. Installer modifications. Started to modify isntaller for data redirection to a secure location.
2009-11-18 10:14:20 -08:00
import android.provider.Settings;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
import android.util.EventLog;
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
import android.util.Log;
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
import android.util.Slog;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import android.util.SparseArray;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
import android.util.SparseIntArray;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
import android.util.StringBuilderPrinter;
Revert "Remove the APIs for the old encryption scheme." This reverts commit 1125d780a8b61703b8eb28c5c77dac5f3f0022dd.
2011-01-13 14:15:43 -06:00
import com.android.internal.backup.BackupConstants;
import com.android.internal.backup.IBackupTransport;
import com.android.internal.backup.LocalTransport;
import com.android.server.PackageManagerBackupAgent.Metadata;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.ByteArrayOutputStream;
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
import java.io.DataInputStream;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
import java.io.DataOutputStream;
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
import java.io.EOFException;
Squashed commit of the following: Author: Christopher Tate <ctate@google.com> Date: Mon May 4 16:38:11 2009 -0700 IBackupService now passes ParcelFileDescriptors rather than int fds The outlines of backup state file / data file handling are now in place as well in the BackupManagerService. Author: Christopher Tate <ctate@google.com> Date: Thu Apr 30 12:40:19 2009 -0700 Hide the backup stuff for now Also adjust based on comments: + changed service intent string to conform to usage guidelines + only publish the IBackupService binder when invoked with the right intent action + docs tweaks
2009-05-04 16:41:53 -07:00
import java.io.File;
More backup tests
2009-05-06 18:06:21 -07:00
import java.io.FileDescriptor;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
import java.io.FileInputStream;
Tone down a non-error log message about lack of ancestral dataset tracking Change-Id: I2e5e48c9b695d6225016365907fe8edc73ab2c8e
2010-02-17 13:03:40 -08:00
import java.io.FileNotFoundException;
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
import java.io.FileOutputStream;
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
import java.io.IOException;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
import java.io.InputStream;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
import java.io.OutputStream;
More backup tests
2009-05-06 18:06:21 -07:00
import java.io.PrintWriter;
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
import java.io.RandomAccessFile;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
import java.text.SimpleDateFormat;
With this, the BackupService onBackup method is called. It took a bunch of refactoring inside BackupManagerService, which is unfortunately all temporary anyway, but it unblocks a bunch of stuff.
2009-05-13 01:41:44 -04:00
import java.util.ArrayList;
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
import java.util.Arrays;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
import java.util.Date;
With this, the BackupService onBackup method is called. It took a bunch of refactoring inside BackupManagerService, which is unfortunately all temporary anyway, but it unblocks a bunch of stuff.
2009-05-13 01:41:44 -04:00
import java.util.HashMap;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
import java.util.HashSet;
import java.util.List;
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
import java.util.Map;
Use setRepeating() rather than setInexactRepeating() for backup scheduling, and add some random fuzz to the scheduling times, to make sure we aren't creating hour-aligned server load spikes. See bug 2226553 for details & Dr. No information.
2009-10-30 17:35:39 -07:00
import java.util.Random;
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
import java.util.Set;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
import java.util.concurrent.atomic.AtomicBoolean;
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
import java.util.zip.Deflater;
import java.util.zip.DeflaterOutputStream;
import java.util.zip.InflaterInputStream;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.CipherInputStream;
import javax.crypto.CipherOutputStream;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
class BackupManagerService extends IBackupManager.Stub {
private static final String TAG = "BackupManagerService";
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
private static final boolean DEBUG = true;
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
private static final boolean MORE_DEBUG = false;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// Name and current contents version of the full-backup manifest file
static final String BACKUP_MANIFEST_FILENAME = "_manifest";
static final int BACKUP_MANIFEST_VERSION = 1;
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
static final String BACKUP_FILE_HEADER_MAGIC = "ANDROID BACKUP\n";
static final int BACKUP_FILE_VERSION = 1;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
static final boolean COMPRESS_FULL_BACKUPS = true; // should be true in production
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
// How often we perform a backup pass. Privileged external callers can
// trigger an immediate pass.
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
private static final long BACKUP_INTERVAL = AlarmManager.INTERVAL_HOUR;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
Use setRepeating() rather than setInexactRepeating() for backup scheduling, and add some random fuzz to the scheduling times, to make sure we aren't creating hour-aligned server load spikes. See bug 2226553 for details & Dr. No information.
2009-10-30 17:35:39 -07:00
// Random variation in backup scheduling time to avoid server load spikes
private static final int FUZZ_MILLIS = 5 * 60 * 1000;
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
// The amount of time between the initial provisioning of the device and
// the first backup pass.
private static final long FIRST_BACKUP_INTERVAL = 12 * AlarmManager.INTERVAL_HOUR;
Refactor android.backup => android.app.backup Change-Id: I0b21316ff890d7f3c7d4b82837bb60670724c2e8
2010-03-05 15:46:30 -08:00
private static final String RUN_BACKUP_ACTION = "android.app.backup.intent.RUN";
private static final String RUN_INITIALIZE_ACTION = "android.app.backup.intent.INIT";
private static final String RUN_CLEAR_ACTION = "android.app.backup.intent.CLEAR";
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
private static final int MSG_RUN_BACKUP = 1;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
private static final int MSG_RUN_FULL_BACKUP = 2;
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
private static final int MSG_RUN_RESTORE = 3;
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
private static final int MSG_RUN_CLEAR = 4;
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
private static final int MSG_RUN_INITIALIZE = 5;
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
private static final int MSG_RUN_GET_RESTORE_SETS = 6;
private static final int MSG_TIMEOUT = 7;
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
private static final int MSG_RESTORE_TIMEOUT = 8;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
private static final int MSG_FULL_CONFIRMATION_TIMEOUT = 9;
private static final int MSG_RUN_FULL_RESTORE = 10;
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// Timeout interval for deciding that a bind or clear-data has taken too long
static final long TIMEOUT_INTERVAL = 10 * 1000;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// Timeout intervals for agent backup & restore operations
static final long TIMEOUT_BACKUP_INTERVAL = 30 * 1000;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
static final long TIMEOUT_FULL_BACKUP_INTERVAL = 5 * 60 * 1000;
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
static final long TIMEOUT_SHARED_BACKUP_INTERVAL = 30 * 60 * 1000;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
static final long TIMEOUT_RESTORE_INTERVAL = 60 * 1000;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// User confirmation timeout for a full backup/restore operation. It's this long in
// order to give them time to enter the backup password.
static final long TIMEOUT_FULL_CONFIRMATION = 60 * 1000;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
private Context mContext;
private PackageManager mPackageManager;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
IPackageManager mPackageManagerBinder;
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
private IActivityManager mActivityManager;
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
private PowerManager mPowerManager;
private AlarmManager mAlarmManager;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
IBackupManager mBackupManagerBinder;
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
boolean mEnabled; // access to this is synchronized on 'this'
boolean mProvisioned;
Add auto-restore setting and Backup Manager awareness thereof This setting, like BACKUP_ENABLE, should never be set directly in the secure settings database. Instead, it should be manipulated through the new IBackupManager method setAutoRestore(boolean). Change-Id: I5c3226ca85b6148bb756d753d7f9e4ea76e878c4
2010-02-03 15:11:15 -08:00
boolean mAutoRestore;
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
PowerManager.WakeLock mWakelock;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
HandlerThread mHandlerThread = new HandlerThread("backup", Process.THREAD_PRIORITY_BACKGROUND);
BackupHandler mBackupHandler;
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
PendingIntent mRunBackupIntent, mRunInitIntent;
BroadcastReceiver mRunBackupReceiver, mRunInitReceiver;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
// map UIDs to the set of backup client services within that UID's app set
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
final SparseArray<HashSet<ApplicationInfo>> mBackupParticipants
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
= new SparseArray<HashSet<ApplicationInfo>>();
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
// set of backup services that have pending changes
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
class BackupRequest {
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
public ApplicationInfo appInfo;
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
BackupRequest(ApplicationInfo app) {
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
appInfo = app;
Add a Backup Manager interface to request a full backup Given a package name, the Backup Manager schedules a *full* (i.e. non- incremental) backup pass for that package. Also added the state-file handling for distinguishing to the target between the full and incremental backup requests.
2009-05-06 11:22:00 -07:00
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
public String toString() {
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
return "BackupRequest{app=" + appInfo + "}";
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
Add a Backup Manager interface to request a full backup Given a package name, the Backup Manager schedules a *full* (i.e. non- incremental) backup pass for that package. Also added the state-file handling for distinguishing to the target between the full and incremental backup requests.
2009-05-06 11:22:00 -07:00
}
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
// Backups that we haven't started yet. Keys are package names.
HashMap<String,BackupRequest> mPendingBackups
= new HashMap<String,BackupRequest>();
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
// Pseudoname that we use for the Package Manager metadata "package"
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
static final String PACKAGE_MANAGER_SENTINEL = "@pm@";
Add app version to the backup metadata We now record the version number of the app (drawn from its manifest versionCode attribute) along with its signatures. At restore time, we compare the version associated with the restore set with the version present on the device. If the restore set is from a newer version of the app than is present on device, we do not perform the restore operation. Also fix the pending-backup iteration in 'dumpsys backup'.
2009-06-19 14:14:22 -07:00
// locking around the pending-backup management
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
final Object mQueueLock = new Object();
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
// The thread performing the sequence of queued backups binds to each app's agent
// in succession. Bind notifications are asynchronously delivered through the
// Activity Manager; use this lock object to signal when a requested binding has
// completed.
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
final Object mAgentConnectLock = new Object();
IBackupAgent mConnectedAgent;
volatile boolean mConnecting;
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
volatile long mLastBackupPass;
volatile long mNextBackupPass;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
// A similar synchronization mechanism around clearing apps' data for restore
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
final Object mClearDataLock = new Object();
volatile boolean mClearingData;
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
// Transport bookkeeping
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
final HashMap<String,IBackupTransport> mTransports
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
= new HashMap<String,IBackupTransport>();
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
String mCurrentTransport;
IBackupTransport mLocalTransport, mGoogleTransport;
Move towards a formal public API for backup and restore This commit makes a few changes towards establishing a formal application interface for interacting with the backup/restore mechanism: 1. Introduce public wrapper classes around the various binder interfaces; 3rd party code will never see the binders directly. 2. Progress update callbacks during a restore sequence now occur on the main thread, not in a binder thread [and not with system-process permissions!]. 3. Rename the BackupManagerService's inner "RestoreSession" class to avoid ambiguity with the new public "RestoreSession" class.
2010-01-25 19:37:47 -08:00
ActiveRestoreSession mActiveRestoreSession;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
class RestoreGetSetsParams {
public IBackupTransport transport;
public ActiveRestoreSession session;
public IRestoreObserver observer;
RestoreGetSetsParams(IBackupTransport _transport, ActiveRestoreSession _session,
IRestoreObserver _observer) {
transport = _transport;
session = _session;
observer = _observer;
}
}
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
class RestoreParams {
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
public IBackupTransport transport;
public IRestoreObserver observer;
Use a long for restore token
2009-06-26 13:20:02 -07:00
public long token;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
public PackageInfo pkgInfo;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
public int pmToken; // in post-install restore, the PM's token for this transaction
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
public boolean needFullBackup;
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
public String[] filterSet;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
RestoreParams(IBackupTransport _transport, IRestoreObserver _obs,
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
long _token, PackageInfo _pkg, int _pmToken, boolean _needFullBackup) {
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
transport = _transport;
observer = _obs;
token = _token;
pkgInfo = _pkg;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
pmToken = _pmToken;
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
needFullBackup = _needFullBackup;
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
filterSet = null;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
}
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
RestoreParams(IBackupTransport _transport, IRestoreObserver _obs, long _token,
boolean _needFullBackup) {
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
transport = _transport;
observer = _obs;
Use a long for restore token
2009-06-26 13:20:02 -07:00
token = _token;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
pkgInfo = null;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
pmToken = 0;
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
needFullBackup = _needFullBackup;
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
filterSet = null;
}
RestoreParams(IBackupTransport _transport, IRestoreObserver _obs, long _token,
String[] _filterSet, boolean _needFullBackup) {
transport = _transport;
observer = _obs;
token = _token;
pkgInfo = null;
pmToken = 0;
needFullBackup = _needFullBackup;
filterSet = _filterSet;
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
}
}
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
class ClearParams {
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
public IBackupTransport transport;
public PackageInfo packageInfo;
ClearParams(IBackupTransport _transport, PackageInfo _info) {
transport = _transport;
packageInfo = _info;
}
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
class FullParams {
public ParcelFileDescriptor fd;
public final AtomicBoolean latch;
public IFullBackupRestoreObserver observer;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
public String curPassword; // filled in by the confirmation step
public String encryptPassword;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
FullParams() {
latch = new AtomicBoolean(false);
}
}
class FullBackupParams extends FullParams {
public boolean includeApks;
public boolean includeShared;
public boolean allApps;
public String[] packages;
FullBackupParams(ParcelFileDescriptor output, boolean saveApks, boolean saveShared,
boolean doAllApps, String[] pkgList) {
fd = output;
includeApks = saveApks;
includeShared = saveShared;
allApps = doAllApps;
packages = pkgList;
}
}
class FullRestoreParams extends FullParams {
FullRestoreParams(ParcelFileDescriptor input) {
fd = input;
}
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// Bookkeeping of in-flight operations for timeout etc. purposes. The operation
// token is the index of the entry in the pending-operations list.
static final int OP_PENDING = 0;
static final int OP_ACKNOWLEDGED = 1;
static final int OP_TIMEOUT = -1;
final SparseIntArray mCurrentOperations = new SparseIntArray();
final Object mCurrentOpLock = new Object();
final Random mTokenGenerator = new Random();
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
final SparseArray<FullParams> mFullConfirmations = new SparseArray<FullParams>();
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
// Where we keep our journal files and other bookkeeping
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
File mBaseStateDir;
File mDataDir;
File mJournalDir;
File mJournal;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// Backup password, if any, and the file where it's saved. What is stored is not the
// password text itself; it's the result of a PBKDF2 hash with a randomly chosen (but
// persisted) salt. Validation is performed by running the challenge text through the
// same PBKDF2 cycle with the persisted salt; if the resulting derived key string matches
// the saved hash string, then the challenge text matches the originally supplied
// password text.
private final SecureRandom mRng = new SecureRandom();
private String mPasswordHash;
private File mPasswordHashFile;
private byte[] mPasswordSalt;
// Configuration of PBKDF2 that we use for generating pw hashes and intermediate keys
static final int PBKDF2_HASH_ROUNDS = 10000;
static final int PBKDF2_KEY_SIZE = 256; // bits
static final int PBKDF2_SALT_SIZE = 512; // bits
static final String ENCRYPTION_ALGORITHM_NAME = "AES-256";
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// Keep a log of all the apps we've ever backed up, and what the
// dataset tokens are for both the current backup dataset and
// the ancestral dataset.
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
private File mEverStored;
HashSet<String> mEverStoredApps = new HashSet<String>();
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
static final int CURRENT_ANCESTRAL_RECORD_VERSION = 1; // increment when the schema changes
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
File mTokenFile;
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
Set<String> mAncestralPackages = null;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
long mAncestralToken = 0;
long mCurrentToken = 0;
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// Persistently track the need to do a full init
static final String INIT_SENTINEL_FILE_NAME = "_need_init_";
HashSet<String> mPendingInits = new HashSet<String>(); // transport names
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// Utility: build a new random integer token
int generateToken() {
int token;
do {
synchronized (mTokenGenerator) {
token = mTokenGenerator.nextInt();
}
} while (token < 0);
return token;
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// ----- Asynchronous backup/restore handler thread -----
private class BackupHandler extends Handler {
public BackupHandler(Looper looper) {
super(looper);
}
public void handleMessage(Message msg) {
switch (msg.what) {
case MSG_RUN_BACKUP:
{
mLastBackupPass = System.currentTimeMillis();
mNextBackupPass = mLastBackupPass + BACKUP_INTERVAL;
IBackupTransport transport = getTransport(mCurrentTransport);
if (transport == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, "Backup requested but no transport available");
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
mWakelock.release();
break;
}
// snapshot the pending-backup set and work on that
ArrayList<BackupRequest> queue = new ArrayList<BackupRequest>();
Don't hold the backup queue lock across a backup operation This got lost in the shuffle when the backup process was retooled to run synchronously within a single spun-off HandlerThread. Formerly it was okay to hold the lock around the point in time when the backup service thread was being spun off, but once that became synchronous it wound up locking out apps' calls to dataChanged(), which in turn led to ANRs. Bug: 2421333 Change-Id: Icf378e5733af5f28a689c564494486cd3555eca7
2010-02-05 10:41:27 -08:00
File oldJournal = mJournal;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
synchronized (mQueueLock) {
Don't hold the backup queue lock across a backup operation This got lost in the shuffle when the backup process was retooled to run synchronously within a single spun-off HandlerThread. Formerly it was okay to hold the lock around the point in time when the backup service thread was being spun off, but once that became synchronous it wound up locking out apps' calls to dataChanged(), which in turn led to ANRs. Bug: 2421333 Change-Id: Icf378e5733af5f28a689c564494486cd3555eca7
2010-02-05 10:41:27 -08:00
// Do we have any work to do? Construct the work queue
// then release the synchronization lock to actually run
// the backup.
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
if (mPendingBackups.size() > 0) {
for (BackupRequest b: mPendingBackups.values()) {
queue.add(b);
}
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "clearing pending backups");
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
mPendingBackups.clear();
// Start a new backup-queue journal file too
mJournal = null;
}
}
Don't hold the backup queue lock across a backup operation This got lost in the shuffle when the backup process was retooled to run synchronously within a single spun-off HandlerThread. Formerly it was okay to hold the lock around the point in time when the backup service thread was being spun off, but once that became synchronous it wound up locking out apps' calls to dataChanged(), which in turn led to ANRs. Bug: 2421333 Change-Id: Icf378e5733af5f28a689c564494486cd3555eca7
2010-02-05 10:41:27 -08:00
if (queue.size() > 0) {
// At this point, we have started a new journal file, and the old
// file identity is being passed to the backup processing thread.
// When it completes successfully, that old journal file will be
// deleted. If we crash prior to that, the old journal is parsed
// at next boot and the journaled requests fulfilled.
(new PerformBackupTask(transport, queue, oldJournal)).run();
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, "Backup requested but nothing pending");
Don't hold the backup queue lock across a backup operation This got lost in the shuffle when the backup process was retooled to run synchronously within a single spun-off HandlerThread. Formerly it was okay to hold the lock around the point in time when the backup service thread was being spun off, but once that became synchronous it wound up locking out apps' calls to dataChanged(), which in turn led to ANRs. Bug: 2421333 Change-Id: Icf378e5733af5f28a689c564494486cd3555eca7
2010-02-05 10:41:27 -08:00
mWakelock.release();
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
break;
}
case MSG_RUN_FULL_BACKUP:
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
{
FullBackupParams params = (FullBackupParams)msg.obj;
(new PerformFullBackupTask(params.fd, params.observer, params.includeApks,
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
params.includeShared, params.curPassword, params.encryptPassword,
params.allApps, params.packages, params.latch)).run();
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
break;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
case MSG_RUN_RESTORE:
{
RestoreParams params = (RestoreParams)msg.obj;
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "MSG_RUN_RESTORE observer=" + params.observer);
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
(new PerformRestoreTask(params.transport, params.observer,
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
params.token, params.pkgInfo, params.pmToken,
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
params.needFullBackup, params.filterSet)).run();
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
break;
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
case MSG_RUN_FULL_RESTORE:
{
FullRestoreParams params = (FullRestoreParams)msg.obj;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
(new PerformFullRestoreTask(params.fd, params.curPassword, params.encryptPassword,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
params.observer, params.latch)).run();
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
break;
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
case MSG_RUN_CLEAR:
{
ClearParams params = (ClearParams)msg.obj;
(new PerformClearTask(params.transport, params.packageInfo)).run();
break;
}
case MSG_RUN_INITIALIZE:
{
HashSet<String> queue;
// Snapshot the pending-init queue and work on that
synchronized (mQueueLock) {
queue = new HashSet<String>(mPendingInits);
mPendingInits.clear();
}
(new PerformInitializeTask(queue)).run();
break;
}
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
case MSG_RUN_GET_RESTORE_SETS:
{
// Like other async operations, this is entered with the wakelock held
RestoreSet[] sets = null;
RestoreGetSetsParams params = (RestoreGetSetsParams)msg.obj;
try {
sets = params.transport.getAvailableRestoreSets();
// cache the result in the active session
synchronized (params.session) {
params.session.mRestoreSets = sets;
}
if (sets == null) EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
} catch (Exception e) {
Slog.e(TAG, "Error from transport getting set list");
} finally {
if (params.observer != null) {
try {
params.observer.restoreSetsAvailable(sets);
} catch (RemoteException re) {
Slog.e(TAG, "Unable to report listing to observer");
} catch (Exception e) {
Slog.e(TAG, "Restore observer threw", e);
}
}
Don't spuriously time out restore sessions If a restore set lookup took a long time, the client's restore session could be declared timed out even though the client was not at fault. Handle this properly by resetting the timeout clock when control of the session is returned to the client. Bug 3477324 Change-Id: I43afaf1063e8e706ef16b70be77f9eeeea6a321f
2011-03-03 17:30:32 -08:00
// Done: reset the session timeout clock
removeMessages(MSG_RESTORE_TIMEOUT);
sendEmptyMessageDelayed(MSG_RESTORE_TIMEOUT, TIMEOUT_RESTORE_INTERVAL);
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
mWakelock.release();
}
break;
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
case MSG_TIMEOUT:
{
synchronized (mCurrentOpLock) {
final int token = msg.arg1;
int state = mCurrentOperations.get(token, OP_TIMEOUT);
if (state == OP_PENDING) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "TIMEOUT: token=" + token);
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
mCurrentOperations.put(token, OP_TIMEOUT);
}
mCurrentOpLock.notifyAll();
}
break;
}
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
case MSG_RESTORE_TIMEOUT:
{
synchronized (BackupManagerService.this) {
if (mActiveRestoreSession != null) {
// Client app left the restore session dangling. We know that it
// can't be in the middle of an actual restore operation because
// those are executed serially on this same handler thread. Clean
// up now.
Slog.w(TAG, "Restore session timed out; aborting");
post(mActiveRestoreSession.new EndRestoreRunnable(
BackupManagerService.this, mActiveRestoreSession));
}
}
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
case MSG_FULL_CONFIRMATION_TIMEOUT:
{
synchronized (mFullConfirmations) {
FullParams params = mFullConfirmations.get(msg.arg1);
if (params != null) {
Slog.i(TAG, "Full backup/restore timed out waiting for user confirmation");
// Release the waiter; timeout == completion
signalFullBackupRestoreCompletion(params);
// Remove the token from the set
mFullConfirmations.delete(msg.arg1);
// Report a timeout to the observer, if any
if (params.observer != null) {
try {
params.observer.onTimeout();
} catch (RemoteException e) {
/* don't care if the app has gone away */
}
}
} else {
Slog.d(TAG, "couldn't find params for token " + msg.arg1);
}
}
break;
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
}
}
}
// ----- Main service implementation -----
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
public BackupManagerService(Context context) {
mContext = context;
mPackageManager = context.getPackageManager();
Some ActivityThread/ActivityManager cleanup. - Move PackageInfo out of ActivityThread, renaming to LoadedApk. - Rename some of the other PacakgeInfo inner classes to better represent what they are. - Rename HistoryRecord to ActivityRecord. - Introduce AppGlobals, to eventually let ActivityThread become package scoped. Change-Id: Ib714c54ceb3cdbb525dce3db9505f31042e88cf0
2010-06-24 15:07:24 -07:00
mPackageManagerBinder = AppGlobals.getPackageManager();
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
mActivityManager = ActivityManagerNative.getDefault();
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mAlarmManager = (AlarmManager) context.getSystemService(Context.ALARM_SERVICE);
mPowerManager = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
mBackupManagerBinder = asInterface(asBinder());
// spin up the backup/restore handler thread
mHandlerThread = new HandlerThread("backup", Process.THREAD_PRIORITY_BACKGROUND);
mHandlerThread.start();
mBackupHandler = new BackupHandler(mHandlerThread.getLooper());
Squashed commit of the following: Author: Christopher Tate <ctate@google.com> Date: Mon May 4 16:38:11 2009 -0700 IBackupService now passes ParcelFileDescriptors rather than int fds The outlines of backup state file / data file handling are now in place as well in the BackupManagerService. Author: Christopher Tate <ctate@google.com> Date: Thu Apr 30 12:40:19 2009 -0700 Hide the backup stuff for now Also adjust based on comments: + changed service intent string to conform to usage guidelines + only publish the IBackupService binder when invoked with the right intent action + docs tweaks
2009-05-04 16:41:53 -07:00
// Set up our bookkeeping
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
boolean areEnabled = Settings.Secure.getInt(context.getContentResolver(),
Move backup state to settings, change permission checks to use symbol. This changes the backup service to use the settings provider instead of system properties, correspondingly making it off by default and allowing specific devices to define the transport. Also tweaks the permission checks to use the permission symbol instead of raw strings. This requires some corresponding changes in the vendor projects.
2009-07-01 19:55:20 -07:00
Settings.Secure.BACKUP_ENABLED, 0) != 0;
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
mProvisioned = Settings.Secure.getInt(context.getContentResolver(),
Backup manager should default to not "provisioned" so backups don't start until the setup wizard is done.
2009-07-27 08:56:39 -07:00
Settings.Secure.BACKUP_PROVISIONED, 0) != 0;
Add auto-restore setting and Backup Manager awareness thereof This setting, like BACKUP_ENABLE, should never be set directly in the secure settings database. Instead, it should be manipulated through the new IBackupManager method setAutoRestore(boolean). Change-Id: I5c3226ca85b6148bb756d753d7f9e4ea76e878c4
2010-02-03 15:11:15 -08:00
mAutoRestore = Settings.Secure.getInt(context.getContentResolver(),
Default the auto-restore setting to "enabled." Change-Id: I7d8710466214a1b09aabdd71e77b9b34d3d62365
2010-02-25 18:01:14 -08:00
Settings.Secure.BACKUP_AUTO_RESTORE, 1) != 0;
Encrypted File Systems Project. Installer modifications. Started to modify isntaller for data redirection to a secure location.
2009-11-18 10:14:20 -08:00
// If Encrypted file systems is enabled or disabled, this call will return the
// correct directory.
Revert "Remove the APIs for the old encryption scheme." This reverts commit 1125d780a8b61703b8eb28c5c77dac5f3f0022dd.
2011-01-13 14:15:43 -06:00
mBaseStateDir = new File(Environment.getSecureDataDirectory(), "backup");
Encrypted File Systems Project. Installer modifications. Started to modify isntaller for data redirection to a secure location.
2009-11-18 10:14:20 -08:00
mBaseStateDir.mkdirs();
Further development of backup file handling Put backup data in flight into /cache Close the files and delete the intermediates after backup pass
2009-05-05 15:50:03 -07:00
mDataDir = Environment.getDownloadCacheDirectory();
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
mPasswordHashFile = new File(mBaseStateDir, "pwhash");
if (mPasswordHashFile.exists()) {
FileInputStream fin = null;
DataInputStream in = null;
try {
fin = new FileInputStream(mPasswordHashFile);
in = new DataInputStream(new BufferedInputStream(fin));
// integer length of the salt array, followed by the salt,
// then the hex pw hash string
int saltLen = in.readInt();
byte[] salt = new byte[saltLen];
in.readFully(salt);
mPasswordHash = in.readUTF();
mPasswordSalt = salt;
} catch (IOException e) {
Slog.e(TAG, "Unable to read saved backup pw hash");
} finally {
try {
if (in != null) in.close();
if (fin != null) fin.close();
} catch (IOException e) {
Slog.w(TAG, "Unable to close streams");
}
}
}
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// Alarm receivers for scheduled backups & initialization operations
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mRunBackupReceiver = new RunBackupReceiver();
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
IntentFilter filter = new IntentFilter();
filter.addAction(RUN_BACKUP_ACTION);
context.registerReceiver(mRunBackupReceiver, filter,
android.Manifest.permission.BACKUP, null);
mRunInitReceiver = new RunInitializeReceiver();
filter = new IntentFilter();
filter.addAction(RUN_INITIALIZE_ACTION);
context.registerReceiver(mRunInitReceiver, filter,
android.Manifest.permission.BACKUP, null);
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
Intent backupIntent = new Intent(RUN_BACKUP_ACTION);
backupIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
mRunBackupIntent = PendingIntent.getBroadcast(context, MSG_RUN_BACKUP, backupIntent, 0);
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
Intent initIntent = new Intent(RUN_INITIALIZE_ACTION);
backupIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
mRunInitIntent = PendingIntent.getBroadcast(context, MSG_RUN_INITIALIZE, initIntent, 0);
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
// Set up the backup-request journaling
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
mJournalDir = new File(mBaseStateDir, "pending");
mJournalDir.mkdirs(); // creates mBaseStateDir along the way
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
mJournal = null; // will be created on first use
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
// Set up the various sorts of package tracking we do
initPackageTracking();
Use signatures on restore On restore now, the backup manager gets the signature blocks corresponding to the restore set from the transport. It then validates those signatures against the on-device app signatures, and refuses to restore data to an app whose on-device sig block does not match the backup image's. Also actually implement 'bmgr transport N' so that we can select the local transport easily during runtime.
2009-06-18 18:35:32 -07:00
// Build our mapping of uid to backup client services. This implicitly
// schedules a backup pass on the Package Manager metadata the first
// time anything needs to be backed up.
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
synchronized (mBackupParticipants) {
addPackageParticipantsLocked(null);
}
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
// Set up our transport options and initialize the default transport
// TODO: Have transports register themselves somehow?
// TODO: Don't create transports that we don't need to?
mLocalTransport = new LocalTransport(context); // This is actually pretty cheap
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
ComponentName localName = new ComponentName(context, LocalTransport.class);
registerTransport(localName.flattenToShortString(), mLocalTransport);
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
mGoogleTransport = null;
Move backup state to settings, change permission checks to use symbol. This changes the backup service to use the settings provider instead of system properties, correspondingly making it off by default and allowing specific devices to define the transport. Also tweaks the permission checks to use the permission symbol instead of raw strings. This requires some corresponding changes in the vendor projects.
2009-07-01 19:55:20 -07:00
mCurrentTransport = Settings.Secure.getString(context.getContentResolver(),
Settings.Secure.BACKUP_TRANSPORT);
if ("".equals(mCurrentTransport)) {
mCurrentTransport = null;
Use secure settings for backup enable / transport selection
2009-07-01 11:43:53 -07:00
}
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Starting with transport " + mCurrentTransport);
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
// Attach to the Google backup transport. When this comes up, it will set
// itself as the current transport because we explicitly reset mCurrentTransport
// to null.
Fix security hole in Google backup transport registration Previously, it was conceivable that a 3rd party application on a non-GED device could publish a service that supported the (hidden) IBackupTransport interface and spoofed the Google backup transport's package and component name. This could allow it to secretly intercept all data moved through the backup mechanism. Fix by ensuring that the package in question exists and is part of the OS itself (FLAG_SYSTEM in its ApplicationInfo description) before binding to it. Fixes bug #2457063 Change-Id: I3487572be45c2014fa209beacfe3ac6f8270f872
2010-04-21 17:58:07 -07:00
ComponentName transportComponent = new ComponentName("com.google.android.backup",
"com.google.android.backup.BackupTransportService");
try {
// If there's something out there that is supposed to be the Google
// backup transport, make sure it's legitimately part of the OS build
// and not an app lying about its package name.
ApplicationInfo info = mPackageManager.getApplicationInfo(
transportComponent.getPackageName(), 0);
if ((info.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
if (DEBUG) Slog.v(TAG, "Binding to Google transport");
Intent intent = new Intent().setComponent(transportComponent);
context.bindService(intent, mGoogleConnection, Context.BIND_AUTO_CREATE);
} else {
Slog.w(TAG, "Possible Google transport spoof: ignoring " + info);
}
} catch (PackageManager.NameNotFoundException nnf) {
// No such package? No binding.
if (DEBUG) Slog.v(TAG, "Google transport not present");
}
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
// Now that we know about valid backup participants, parse any
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
// leftover journal files into the pending backup set
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
parseLeftoverJournals();
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
// Power management
Track client requests through location manager. This fixes a problem where applications could ask the location manager to do very heavy-weight things (like... say... update location every minute), which would get accounted against the system instead of the application because ultimately it is the system making the heavy calls (wake locks, etc). To solve this, we introduce a new class WorkSource representing the source of some work. Wake locks and Wifi locks allow you to set the source to use (but only if you are system code and thus can get the permission to do so), which is what will be reported to the battery stats until the actual caller. For the initial implementation, the location manager keeps track of all clients requesting periodic updates, and tells its providers about them as a WorkSource param when setting their min update time. The network location provider uses this to set the source on the wake and wifi locks it acquires, when doing work because of the update period. This should also be used elsewhere, such as in the GPS provider, but this is a good start. Change-Id: I2b6ffafad9e90ecf15d7c502e2db675fd52ae3cf
2010-09-10 18:43:00 -07:00
mWakelock = mPowerManager.newWakeLock(PowerManager.PARTIAL_WAKE_LOCK, "*backup*");
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
// Start the backup passes going
setBackupEnabled(areEnabled);
}
private class RunBackupReceiver extends BroadcastReceiver {
public void onReceive(Context context, Intent intent) {
if (RUN_BACKUP_ACTION.equals(intent.getAction())) {
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
synchronized (mQueueLock) {
if (mPendingInits.size() > 0) {
// If there are pending init operations, we process those
// and then settle into the usual periodic backup schedule.
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Init pending at scheduled backup");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
try {
mAlarmManager.cancel(mRunInitIntent);
mRunInitIntent.send();
} catch (PendingIntent.CanceledException ce) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Run init intent cancelled");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// can't really do more than bail here
}
} else {
Get rid of now-superfluous "backup or restore in progress" tracking Now that backup/restore/etc operations are queued and serialized, we no longer need to use external state tracking to prevent overlapping operations. Change-Id: I14f2a5d740cb97ae062aad55a06f49a2be5dd985
2010-02-02 15:18:58 -08:00
// Don't run backups now if we're disabled or not yet
// fully set up.
if (mEnabled && mProvisioned) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Running a backup pass");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// Acquire the wakelock and pass it to the backup thread. it will
// be released once backup concludes.
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(MSG_RUN_BACKUP);
mBackupHandler.sendMessage(msg);
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Backup pass but e=" + mEnabled + " p=" + mProvisioned);
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
}
}
}
}
}
}
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
private class RunInitializeReceiver extends BroadcastReceiver {
public void onReceive(Context context, Intent intent) {
if (RUN_INITIALIZE_ACTION.equals(intent.getAction())) {
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
synchronized (mQueueLock) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Running a device init");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// Acquire the wakelock and pass it to the init thread. it will
// be released once init concludes.
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mWakelock.acquire();
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
Message msg = mBackupHandler.obtainMessage(MSG_RUN_INITIALIZE);
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mBackupHandler.sendMessage(msg);
}
}
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
}
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
private void initPackageTracking() {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Initializing package tracking");
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// Remember our ancestral dataset
mTokenFile = new File(mBaseStateDir, "ancestral");
try {
RandomAccessFile tf = new RandomAccessFile(mTokenFile, "r");
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
int version = tf.readInt();
if (version == CURRENT_ANCESTRAL_RECORD_VERSION) {
mAncestralToken = tf.readLong();
mCurrentToken = tf.readLong();
int numPackages = tf.readInt();
if (numPackages >= 0) {
mAncestralPackages = new HashSet<String>();
for (int i = 0; i < numPackages; i++) {
String pkgName = tf.readUTF();
mAncestralPackages.add(pkgName);
}
}
}
Close some things in system_server that CloseGuard found. Change-Id: I788c022235caddcb1972a34131442a683cd51eb5
2010-11-15 11:12:42 -08:00
tf.close();
Tone down a non-error log message about lack of ancestral dataset tracking Change-Id: I2e5e48c9b695d6225016365907fe8edc73ab2c8e
2010-02-17 13:03:40 -08:00
} catch (FileNotFoundException fnf) {
// Probably innocuous
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, "No ancestral data");
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
} catch (IOException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Unable to read token file", e);
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
}
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
// Keep a log of what apps we've ever backed up. Because we might have
// rebooted in the middle of an operation that was removing something from
// this log, we sanity-check its contents here and reconstruct it.
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
mEverStored = new File(mBaseStateDir, "processed");
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
File tempProcessedFile = new File(mBaseStateDir, "processed.new");
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
// If we were in the middle of removing something from the ever-backed-up
// file, there might be a transient "processed.new" file still present.
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
// Ignore it -- we'll validate "processed" against the current package set.
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
if (tempProcessedFile.exists()) {
tempProcessedFile.delete();
}
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
// If there are previous contents, parse them out then start a new
// file to continue the recordkeeping.
if (mEverStored.exists()) {
RandomAccessFile temp = null;
RandomAccessFile in = null;
try {
temp = new RandomAccessFile(tempProcessedFile, "rws");
in = new RandomAccessFile(mEverStored, "r");
while (true) {
PackageInfo info;
String pkg = in.readUTF();
try {
info = mPackageManager.getPackageInfo(pkg, 0);
mEverStoredApps.add(pkg);
temp.writeUTF(pkg);
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, " + " + pkg);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
} catch (NameNotFoundException e) {
// nope, this package was uninstalled; don't include it
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, " - " + pkg);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
}
}
} catch (EOFException e) {
// Once we've rewritten the backup history log, atomically replace the
// old one with the new one then reopen the file for continuing use.
if (!tempProcessedFile.renameTo(mEverStored)) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error renaming " + tempProcessedFile + " to " + mEverStored);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
}
} catch (IOException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error in processed file", e);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
} finally {
try { if (temp != null) temp.close(); } catch (IOException e) {}
try { if (in != null) in.close(); } catch (IOException e) {}
}
}
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
// Register for broadcasts about package install, etc., so we can
// update the provider list.
IntentFilter filter = new IntentFilter();
filter.addAction(Intent.ACTION_PACKAGE_ADDED);
filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
filter.addDataScheme("package");
mContext.registerReceiver(mBroadcastReceiver, filter);
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
// Register for events related to sdcard installation.
IntentFilter sdFilter = new IntentFilter();
Rename media resource broadcasts Add checks for fwdlocked and updated system apps add more tests remove duplicate adds
2010-02-04 22:51:07 -08:00
sdFilter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
sdFilter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE);
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
mContext.registerReceiver(mBroadcastReceiver, sdFilter);
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
}
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
private void parseLeftoverJournals() {
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
for (File f : mJournalDir.listFiles()) {
if (mJournal == null || f.compareTo(mJournal) != 0) {
// This isn't the current journal, so it must be a leftover. Read
// out the package names mentioned there and schedule them for
// backup.
RandomAccessFile in = null;
try {
Reduce logging. Remember, the system and main logs are - Shared resources - Primarily for recording problems - To be used only for large grained events during normal operation Bug: 3104855 Change-Id: I136fbd101917dcbc8ebc3f96f276426b48bde7b7
2010-10-18 19:13:23 -04:00
Slog.i(TAG, "Found stale backup journal, scheduling");
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
in = new RandomAccessFile(f, "r");
while (true) {
String packageName = in.readUTF();
Reduce logging. Remember, the system and main logs are - Shared resources - Primarily for recording problems - To be used only for large grained events during normal operation Bug: 3104855 Change-Id: I136fbd101917dcbc8ebc3f96f276426b48bde7b7
2010-10-18 19:13:23 -04:00
Slog.i(TAG, " " + packageName);
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
dataChangedImpl(packageName);
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
}
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
} catch (EOFException e) {
// no more data; we're done
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Can't read " + f, e);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
} finally {
// close/delete the file
try { if (in != null) in.close(); } catch (IOException e) {}
f.delete();
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
}
}
}
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
private SecretKey buildPasswordKey(String pw, byte[] salt, int rounds) {
return buildCharArrayKey(pw.toCharArray(), salt, rounds);
}
private SecretKey buildCharArrayKey(char[] pwArray, byte[] salt, int rounds) {
try {
SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1");
KeySpec ks = new PBEKeySpec(pwArray, salt, rounds, PBKDF2_KEY_SIZE);
return keyFactory.generateSecret(ks);
} catch (InvalidKeySpecException e) {
Slog.e(TAG, "Invalid key spec for PBKDF2!");
} catch (NoSuchAlgorithmException e) {
Slog.e(TAG, "PBKDF2 unavailable!");
}
return null;
}
private String buildPasswordHash(String pw, byte[] salt, int rounds) {
SecretKey key = buildPasswordKey(pw, salt, rounds);
if (key != null) {
return byteArrayToHex(key.getEncoded());
}
return null;
}
private String byteArrayToHex(byte[] data) {
StringBuilder buf = new StringBuilder(data.length * 2);
for (int i = 0; i < data.length; i++) {
buf.append(Byte.toHexString(data[i], true));
}
return buf.toString();
}
private byte[] hexToByteArray(String digits) {
final int bytes = digits.length() / 2;
if (2*bytes != digits.length()) {
throw new IllegalArgumentException("Hex string must have an even number of digits");
}
byte[] result = new byte[bytes];
for (int i = 0; i < digits.length(); i += 2) {
result[i/2] = (byte) Integer.parseInt(digits.substring(i, i+2), 16);
}
return result;
}
private byte[] makeKeyChecksum(byte[] pwBytes, byte[] salt, int rounds) {
char[] mkAsChar = new char[pwBytes.length];
for (int i = 0; i < pwBytes.length; i++) {
mkAsChar[i] = (char) pwBytes[i];
}
Key checksum = buildCharArrayKey(mkAsChar, salt, rounds);
return checksum.getEncoded();
}
// Used for generating random salts or passwords
private byte[] randomBytes(int bits) {
byte[] array = new byte[bits / 8];
mRng.nextBytes(array);
return array;
}
// Backup password management
boolean passwordMatchesSaved(String candidatePw, int rounds) {
if (mPasswordHash == null) {
// no current password case -- require that 'currentPw' be null or empty
if (candidatePw == null || "".equals(candidatePw)) {
return true;
} // else the non-empty candidate does not match the empty stored pw
} else {
// hash the stated current pw and compare to the stored one
if (candidatePw != null && candidatePw.length() > 0) {
String currentPwHash = buildPasswordHash(candidatePw, mPasswordSalt, rounds);
if (mPasswordHash.equalsIgnoreCase(currentPwHash)) {
// candidate hash matches the stored hash -- the password matches
return true;
}
} // else the stored pw is nonempty but the candidate is empty; no match
}
return false;
}
@Override
public boolean setBackupPassword(String currentPw, String newPw) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"setBackupPassword");
// If the supplied pw doesn't hash to the the saved one, fail
if (!passwordMatchesSaved(currentPw, PBKDF2_HASH_ROUNDS)) {
return false;
}
// Clearing the password is okay
if (newPw == null || newPw.isEmpty()) {
if (mPasswordHashFile.exists()) {
if (!mPasswordHashFile.delete()) {
// Unable to delete the old pw file, so fail
Slog.e(TAG, "Unable to clear backup password");
return false;
}
}
mPasswordHash = null;
mPasswordSalt = null;
return true;
}
try {
// Okay, build the hash of the new backup password
byte[] salt = randomBytes(PBKDF2_SALT_SIZE);
String newPwHash = buildPasswordHash(newPw, salt, PBKDF2_HASH_ROUNDS);
OutputStream pwf = null, buffer = null;
DataOutputStream out = null;
try {
pwf = new FileOutputStream(mPasswordHashFile);
buffer = new BufferedOutputStream(pwf);
out = new DataOutputStream(buffer);
// integer length of the salt array, followed by the salt,
// then the hex pw hash string
out.writeInt(salt.length);
out.write(salt);
out.writeUTF(newPwHash);
out.flush();
mPasswordHash = newPwHash;
mPasswordSalt = salt;
return true;
} finally {
if (out != null) out.close();
if (buffer != null) buffer.close();
if (pwf != null) pwf.close();
}
} catch (IOException e) {
Slog.e(TAG, "Unable to set backup password");
}
return false;
}
@Override
public boolean hasBackupPassword() {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"hasBackupPassword");
return (mPasswordHash != null && mPasswordHash.length() > 0);
}
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// Maintain persistent state around whether need to do an initialize operation.
// Must be called with the queue lock held.
void recordInitPendingLocked(boolean isPending, String transportName) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.i(TAG, "recordInitPendingLocked: " + isPending
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
+ " on transport " + transportName);
try {
IBackupTransport transport = getTransport(transportName);
String transportDirName = transport.transportDirName();
File stateDir = new File(mBaseStateDir, transportDirName);
File initPendingFile = new File(stateDir, INIT_SENTINEL_FILE_NAME);
if (isPending) {
// We need an init before we can proceed with sending backup data.
// Record that with an entry in our set of pending inits, as well as
// journaling it via creation of a sentinel file.
mPendingInits.add(transportName);
try {
(new FileOutputStream(initPendingFile)).close();
} catch (IOException ioe) {
// Something is badly wrong with our permissions; just try to move on
}
} else {
// No more initialization needed; wipe the journal and reset our state.
initPendingFile.delete();
mPendingInits.remove(transportName);
}
} catch (RemoteException e) {
// can't happen; the transport is local
}
}
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
// Reset all of our bookkeeping, in response to having been told that
// the backend data has been wiped [due to idle expiry, for example],
// so we must re-upload all saved settings.
void resetBackupState(File stateFileDir) {
synchronized (mQueueLock) {
// Wipe the "what we've ever backed up" tracking
mEverStoredApps.clear();
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
mEverStored.delete();
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
mCurrentToken = 0;
writeRestoreTokens();
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
// Remove all the state files
for (File sf : stateFileDir.listFiles()) {
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// ... but don't touch the needs-init sentinel
if (!sf.getName().equals(INIT_SENTINEL_FILE_NAME)) {
sf.delete();
}
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
}
Fix deadlock in BackupManagerService Lock ordering bug. The fix is to avoid having to hold both locks simultaneously in one prong of the deadlock. (Further strengthening: the code path for potentially acquiring both simultaneously now begins at a common method, ensuring that lock ordering is always consistent.) Change-Id: If9433aff8326fec2ba0e97e96ad2d835b01e2cda
2011-04-04 16:59:21 -07:00
}
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
Fix deadlock in BackupManagerService Lock ordering bug. The fix is to avoid having to hold both locks simultaneously in one prong of the deadlock. (Further strengthening: the code path for potentially acquiring both simultaneously now begins at a common method, ensuring that lock ordering is always consistent.) Change-Id: If9433aff8326fec2ba0e97e96ad2d835b01e2cda
2011-04-04 16:59:21 -07:00
// Enqueue a new backup of every participant
int N = mBackupParticipants.size();
for (int i=0; i<N; i++) {
int uid = mBackupParticipants.keyAt(i);
HashSet<ApplicationInfo> participants = mBackupParticipants.valueAt(i);
for (ApplicationInfo app: participants) {
dataChangedImpl(app.packageName);
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
}
}
}
Don't crash the system process when a backup transport unregisters Bug: 2342503
2009-12-22 16:01:32 -08:00
// Add a transport to our set of available backends. If 'transport' is null, this
// is an unregistration, and the transport's entry is removed from our bookkeeping.
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
private void registerTransport(String name, IBackupTransport transport) {
synchronized (mTransports) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Registering transport " + name + " = " + transport);
Don't crash the system process when a backup transport unregisters Bug: 2342503
2009-12-22 16:01:32 -08:00
if (transport != null) {
mTransports.put(name, transport);
} else {
mTransports.remove(name);
Don't crash on transport unregistration if there is no current transport Change-Id: Icd0962254ba224a7be27d408dffb25b634f67863
2010-01-29 16:27:04 -08:00
if ((mCurrentTransport != null) && mCurrentTransport.equals(name)) {
Don't crash the system process when a backup transport unregisters Bug: 2342503
2009-12-22 16:01:32 -08:00
mCurrentTransport = null;
}
// Nothing further to do in the unregistration case
return;
}
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
}
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// If the init sentinel file exists, we need to be sure to perform the init
// as soon as practical. We also create the state directory at registration
// time to ensure it's present from the outset.
try {
String transportName = transport.transportDirName();
File stateDir = new File(mBaseStateDir, transportName);
stateDir.mkdirs();
File initSentinel = new File(stateDir, INIT_SENTINEL_FILE_NAME);
if (initSentinel.exists()) {
synchronized (mQueueLock) {
mPendingInits.add(transportName);
// TODO: pick a better starting time than now + 1 minute
long delay = 1000 * 60; // one minute, in milliseconds
mAlarmManager.set(AlarmManager.RTC_WAKEUP,
System.currentTimeMillis() + delay, mRunInitIntent);
}
}
} catch (RemoteException e) {
// can't happen, the transport is local
}
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
// ----- Track installation/removal of packages -----
BroadcastReceiver mBroadcastReceiver = new BroadcastReceiver() {
public void onReceive(Context context, Intent intent) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.d(TAG, "Received broadcast " + intent);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
String action = intent.getAction();
boolean replacing = false;
boolean added = false;
Bundle extras = intent.getExtras();
String pkgList[] = null;
if (Intent.ACTION_PACKAGE_ADDED.equals(action) ||
Intent.ACTION_PACKAGE_REMOVED.equals(action)) {
Uri uri = intent.getData();
if (uri == null) {
return;
}
String pkgName = uri.getSchemeSpecificPart();
if (pkgName != null) {
pkgList = new String[] { pkgName };
}
added = Intent.ACTION_PACKAGE_ADDED.equals(action);
replacing = extras.getBoolean(Intent.EXTRA_REPLACING, false);
Rename media resource broadcasts Add checks for fwdlocked and updated system apps add more tests remove duplicate adds
2010-02-04 22:51:07 -08:00
} else if (Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE.equals(action)) {
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
added = true;
pkgList = intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);
Rename media resource broadcasts Add checks for fwdlocked and updated system apps add more tests remove duplicate adds
2010-02-04 22:51:07 -08:00
} else if (Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE.equals(action)) {
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
added = false;
pkgList = intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
if (pkgList == null || pkgList.length == 0) {
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
return;
}
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
if (added) {
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
synchronized (mBackupParticipants) {
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
for (String pkgName : pkgList) {
if (replacing) {
// The package was just upgraded
updatePackageParticipantsLocked(pkgName);
} else {
// The package was just added
addPackageParticipantsLocked(pkgName);
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
}
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
} else {
if (replacing) {
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
// The package is being updated. We'll receive a PACKAGE_ADDED shortly.
} else {
synchronized (mBackupParticipants) {
Apps on sdcard: Add new broadcasts Add new broadcasts ACTION_MEDIA_RESOURCES_AVAILABLE and ACTION_MEDIA_RESOURCES_UNAVAILABLE that get broadcast by PackageManagerService when sdcard gets mounted/unmounted by MountService so that packages on sdcard get recognized by various system services as being installed/available or removed/unavailable by the system. The broadcasts are sent before the actual package cleanup which includes mounting/unmounting the packages and we force a gc right after so that any lingering file references to resources on sdcard get released.
2010-01-28 09:57:30 -08:00
for (String pkgName : pkgList) {
removePackageParticipantsLocked(pkgName);
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
}
}
}
};
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
// ----- Track connection to GoogleBackupTransport service -----
ServiceConnection mGoogleConnection = new ServiceConnection() {
public void onServiceConnected(ComponentName name, IBinder service) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Connected to Google transport");
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
mGoogleTransport = IBackupTransport.Stub.asInterface(service);
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
registerTransport(name.flattenToShortString(), mGoogleTransport);
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
}
public void onServiceDisconnected(ComponentName name) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Disconnected from Google transport");
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
mGoogleTransport = null;
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
registerTransport(name.flattenToShortString(), null);
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
}
};
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
// Add the backup agents in the given package to our set of known backup participants.
// If 'packageName' is null, adds all backup agents in the whole system.
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
void addPackageParticipantsLocked(String packageName) {
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
// Look for apps that define the android:backupAgent attribute
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "addPackageParticipantsLocked: " + packageName);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
List<PackageInfo> targetApps = allAgentPackages();
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
addPackageParticipantsLockedInner(packageName, targetApps);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
private void addPackageParticipantsLockedInner(String packageName,
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
List<PackageInfo> targetPkgs) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, "Adding " + targetPkgs.size() + " backup participants:");
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
for (PackageInfo p : targetPkgs) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, " " + p + " agent=" + p.applicationInfo.backupAgentName
Expand apps' control over the settings restore process Applications can now specify two more aspects of the restore process: whether they need to run with their own custom Application subclass rather than being launched in the usual restricted mode during restore, and whether it's okay for the backup manager to kill the app process once restore has completed. The new manifest attributes for these are, respectively, android:restoreNeedsApplication and android:killAfterRestore. If unspecified in the manifest, restoreNeedsApplication is false, and killAfterRestore is true. In order to support kill-after-restore cleanly, this change also adds a new system-process-only interface to the Activity Manager, which will schedule a "commit suicide" event on the target app's main thread looper. The framework backup agents have been given the appropriate new backup attributes as well.
2009-09-01 20:32:49 -07:00
+ " uid=" + p.applicationInfo.uid
+ " killAfterRestore="
+ (((p.applicationInfo.flags & ApplicationInfo.FLAG_KILL_AFTER_RESTORE) != 0) ? "true" : "false")
);
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
for (PackageInfo pkg : targetPkgs) {
if (packageName == null || pkg.packageName.equals(packageName)) {
int uid = pkg.applicationInfo.uid;
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
HashSet<ApplicationInfo> set = mBackupParticipants.get(uid);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
if (set == null) {
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
set = new HashSet<ApplicationInfo>();
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
mBackupParticipants.put(uid, set);
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
set.add(pkg.applicationInfo);
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
// If we've never seen this app before, schedule a backup for it
if (!mEverStoredApps.contains(pkg.packageName)) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.i(TAG, "New app " + pkg.packageName
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
+ " never backed up; scheduling");
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
dataChangedImpl(pkg.packageName);
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
}
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
}
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
Store the app signatures as part of the backup set Under a pseudo-app for the Package Manager, we store the app signatures for all participating applications installed on the device. At restore time we will restore this first, then ensure that the current on-device signature chain is compatible with the one in the backup set. If there's a mismatch, this may be a spoof attempt and we will refuse to restore that app's data. The restore side of this is not implemented, but the Package Manager agent is here as well as the backup side theoretically pushing the data now.
2009-06-18 15:58:25 -07:00
// Remove the given package's entry from our known active set. If
// 'packageName' is null, *all* participating apps will be removed.
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
void removePackageParticipantsLocked(String packageName) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "removePackageParticipantsLocked: " + packageName);
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
List<String> allApps = new ArrayList<String>();
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
if (packageName != null) {
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
allApps.add(packageName);
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
} else {
// all apps with agents
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
List<PackageInfo> knownPackages = allAgentPackages();
for (PackageInfo pkg : knownPackages) {
allApps.add(pkg.packageName);
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
removePackageParticipantsLockedInner(packageName, allApps);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
With this, the BackupService onBackup method is called. It took a bunch of refactoring inside BackupManagerService, which is unfortunately all temporary anyway, but it unblocks a bunch of stuff.
2009-05-13 01:41:44 -04:00
private void removePackageParticipantsLockedInner(String packageName,
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
List<String> allPackageNames) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, "removePackageParticipantsLockedInner (" + packageName
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
+ ") removing " + allPackageNames.size() + " entries");
for (String p : allPackageNames) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, " - " + p);
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
}
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
for (String pkg : allPackageNames) {
if (packageName == null || pkg.equals(packageName)) {
int uid = -1;
try {
PackageInfo info = mPackageManager.getPackageInfo(packageName, 0);
uid = info.applicationInfo.uid;
} catch (NameNotFoundException e) {
// we don't know this package name, so just skip it for now
continue;
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
HashSet<ApplicationInfo> set = mBackupParticipants.get(uid);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
if (set != null) {
Fix tracking of backup participants across package remove/update
2009-06-05 13:57:54 -07:00
// Find the existing entry with the same package name, and remove it.
// We can't just remove(app) because the instances are different.
for (ApplicationInfo entry: set) {
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
if (entry.packageName.equals(pkg)) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, " removing participant " + pkg);
Fix tracking of backup participants across package remove/update
2009-06-05 13:57:54 -07:00
set.remove(entry);
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
removeEverBackedUp(pkg);
Fix tracking of backup participants across package remove/update
2009-06-05 13:57:54 -07:00
break;
}
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
if (set.size() == 0) {
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
mBackupParticipants.delete(uid);
}
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
}
}
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
// Returns the set of all applications that define an android:backupAgent attribute
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
List<PackageInfo> allAgentPackages() {
Store the app signatures as part of the backup set Under a pseudo-app for the Package Manager, we store the app signatures for all participating applications installed on the device. At restore time we will restore this first, then ensure that the current on-device signature chain is compatible with the one in the backup set. If there's a mismatch, this may be a spoof attempt and we will refuse to restore that app's data. The restore side of this is not implemented, but the Package Manager agent is here as well as the backup side theoretically pushing the data now.
2009-06-18 15:58:25 -07:00
// !!! TODO: cache this and regenerate only when necessary
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
int flags = PackageManager.GET_SIGNATURES;
List<PackageInfo> packages = mPackageManager.getInstalledPackages(flags);
int N = packages.size();
for (int a = N-1; a >= 0; a--) {
Backup participants must now hold the BACKUP_DATA permission Packages that do not use android.permission.BACKUP_DATA will neither be backed up nor restored. That permission is currently signature-only. In the future if access to the backup/restore infrastructure is made available to arbitrary 3rd party applications, the permission checks (and indeed, the permission itself) can simply be removed.
2009-08-13 15:13:03 -07:00
PackageInfo pkg = packages.get(a);
Be sure to include shared lib path info when dealing with agents In particular, this ensures that on the client side the full classpath is known and used by the class loader during execution of the agent.
2009-09-16 10:57:21 -07:00
try {
ApplicationInfo app = pkg.applicationInfo;
if (((app.flags&ApplicationInfo.FLAG_ALLOW_BACKUP) == 0)
Remove BACKUP_DATA permission and associated checks Any package can now participate in backup/restore, without requiring any manifest-declared permission. *Control* of the backup manager is still guarded by the BACKUP permission, which is signatureOrSystem. Change-Id: I116fcfcd4cd255e3c976330da1c4dea7d4faae9d
2010-02-12 14:12:34 -08:00
|| app.backupAgentName == null) {
Be sure to include shared lib path info when dealing with agents In particular, this ensures that on the client side the full classpath is known and used by the class loader during execution of the agent.
2009-09-16 10:57:21 -07:00
packages.remove(a);
}
else {
// we will need the shared library path, so look that up and store it here
app = mPackageManager.getApplicationInfo(pkg.packageName,
PackageManager.GET_SHARED_LIBRARY_FILES);
pkg.applicationInfo.sharedLibraryFiles = app.sharedLibraryFiles;
}
} catch (NameNotFoundException e) {
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
packages.remove(a);
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
return packages;
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
// Reset the given package's known backup participants. Unlike add/remove, the update
// action cannot be passed a null package name.
void updatePackageParticipantsLocked(String packageName) {
if (packageName == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "updatePackageParticipants called with null package name");
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
return;
}
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "updatePackageParticipantsLocked: " + packageName);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
// brute force but small code size
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
List<PackageInfo> allApps = allAgentPackages();
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
List<String> allAppNames = new ArrayList<String>();
for (PackageInfo pkg : allApps) {
allAppNames.add(pkg.packageName);
}
removePackageParticipantsLockedInner(packageName, allAppNames);
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
addPackageParticipantsLockedInner(packageName, allApps);
Track install/removal/update of packages that provide backup services
2009-05-06 16:13:56 -07:00
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// Called from the backup task: record that the given app has been successfully
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
// backed up at least once
void logBackupComplete(String packageName) {
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
if (packageName.equals(PACKAGE_MANAGER_SENTINEL)) return;
synchronized (mEverStoredApps) {
if (!mEverStoredApps.add(packageName)) return;
RandomAccessFile out = null;
try {
out = new RandomAccessFile(mEverStored, "rws");
out.seek(out.length());
out.writeUTF(packageName);
} catch (IOException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Can't log backup of " + packageName + " to " + mEverStored);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
} finally {
try { if (out != null) out.close(); } catch (IOException e) {}
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
}
}
}
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
// Remove our awareness of having ever backed up the given package
void removeEverBackedUp(String packageName) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (DEBUG) Slog.v(TAG, "Removing backed-up knowledge of " + packageName);
if (MORE_DEBUG) Slog.v(TAG, "New set:");
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
synchronized (mEverStoredApps) {
// Rewrite the file and rename to overwrite. If we reboot in the middle,
// we'll recognize on initialization time that the package no longer
// exists and fix it up then.
File tempKnownFile = new File(mBaseStateDir, "processed.new");
RandomAccessFile known = null;
try {
known = new RandomAccessFile(tempKnownFile, "rws");
mEverStoredApps.remove(packageName);
for (String s : mEverStoredApps) {
known.writeUTF(s);
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, " " + s);
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
}
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
known.close();
known = null;
if (!tempKnownFile.renameTo(mEverStored)) {
throw new IOException("Can't rename " + tempKnownFile + " to " + mEverStored);
}
} catch (IOException e) {
// Bad: we couldn't create the new copy. For safety's sake we
// abandon the whole process and remove all what's-backed-up
// state entirely, meaning we'll force a backup pass for every
// participant on the next boot or [re]install.
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Error rewriting " + mEverStored, e);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
mEverStoredApps.clear();
tempKnownFile.delete();
mEverStored.delete();
} finally {
try { if (known != null) known.close(); } catch (IOException e) {}
The rest of ever-backed-up tracking When a package is uninstalled we now remove our notion of its having been backed up, thereby forcing a backup pass if it is reinstalled at some point in the future. Removal from the log means rewriting it and doing an atomic rename to the canonical version. The temporary existence used during the rewrite is *not* written synchronously; there's no need and it keeps the load on the flash part much lower. Because we might crash & reboot in the middle of the rewrite operation, there's now code during init that sanity-checks the contents of the ever-backed-up log and ensures that it's in a coherent state.
2009-07-15 16:45:50 -07:00
}
}
}
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
// Persistently record the current and ancestral backup tokens as well
// as the set of packages with data [supposedly] available in the
// ancestral dataset.
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
void writeRestoreTokens() {
try {
RandomAccessFile af = new RandomAccessFile(mTokenFile, "rwd");
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
// First, the version number of this record, for futureproofing
af.writeInt(CURRENT_ANCESTRAL_RECORD_VERSION);
// Write the ancestral and current tokens
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
af.writeLong(mAncestralToken);
af.writeLong(mCurrentToken);
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
// Now write the set of ancestral packages
if (mAncestralPackages == null) {
af.writeInt(-1);
} else {
af.writeInt(mAncestralPackages.size());
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Ancestral packages: " + mAncestralPackages.size());
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
for (String pkgName : mAncestralPackages) {
af.writeUTF(pkgName);
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, " " + pkgName);
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
}
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
af.close();
} catch (IOException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Unable to write token file:", e);
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
}
}
Replace the stub GoogleTransport with callout to the GoogleTransportService (which lives in vendor/google). Use the Google transport by default. Also, fix a bug: Thread.run() != Thread.start()
2009-06-17 02:30:10 -07:00
// Return the given transport
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
private IBackupTransport getTransport(String transportName) {
synchronized (mTransports) {
IBackupTransport transport = mTransports.get(transportName);
if (transport == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Requested unavailable transport: " + transportName);
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
}
return transport;
Add IRestoreSession interface for the restore flow Restore is a fairly complicated, somewhat stateful process, so we introduce a new interface to encapsulate the various bits and pieces into a nicely separable component. In particular, this will make it much cleaner to open and interrogate an expensive-to-construct transport and then reuse it for the actual restore process itself.
2009-06-07 19:33:20 -07:00
}
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
// fire off a backup agent, blocking until it attaches or times out
IBackupAgent bindToAgentSynchronous(ApplicationInfo app, int mode) {
IBackupAgent agent = null;
synchronized(mAgentConnectLock) {
mConnecting = true;
mConnectedAgent = null;
try {
if (mActivityManager.bindBackupAgent(app, mode)) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "awaiting agent for " + app);
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
// success; wait for the agent to arrive
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// only wait 10 seconds for the bind to happen
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
long timeoutMark = System.currentTimeMillis() + TIMEOUT_INTERVAL;
while (mConnecting && mConnectedAgent == null
&& (System.currentTimeMillis() < timeoutMark)) {
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
try {
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
mAgentConnectLock.wait(5000);
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
} catch (InterruptedException e) {
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// just bail
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
return null;
}
}
// if we timed out with no connect, abort and move on
if (mConnecting == true) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Timeout waiting for agent " + app);
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
return null;
}
agent = mConnectedAgent;
}
} catch (RemoteException e) {
// can't happen
}
}
return agent;
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// clear an application's data, blocking until the operation completes or times out
void clearApplicationDataSynchronous(String packageName) {
Respect android:allowClearUserData=false during restore Ordinarily we wipe the data of apps we are restoring. This is problematic for packages that expect that their data can never be wiped back to nothing, especially system packages, so we now respect the android:allowClearUserData manifest attribute.
2009-06-26 15:34:09 -07:00
// Don't wipe packages marked allowClearUserData=false
try {
PackageInfo info = mPackageManager.getPackageInfo(packageName, 0);
if ((info.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_CLEAR_USER_DATA) == 0) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.i(TAG, "allowClearUserData=false so not wiping "
Respect android:allowClearUserData=false during restore Ordinarily we wipe the data of apps we are restoring. This is problematic for packages that expect that their data can never be wiped back to nothing, especially system packages, so we now respect the android:allowClearUserData manifest attribute.
2009-06-26 15:34:09 -07:00
+ packageName);
return;
}
} catch (NameNotFoundException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Tried to clear data for " + packageName + " but not found");
Respect android:allowClearUserData=false during restore Ordinarily we wipe the data of apps we are restoring. This is problematic for packages that expect that their data can never be wiped back to nothing, especially system packages, so we now respect the android:allowClearUserData manifest attribute.
2009-06-26 15:34:09 -07:00
return;
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
ClearDataObserver observer = new ClearDataObserver();
synchronized(mClearDataLock) {
mClearingData = true;
Clear app data via the Activity Manager, not Package Manager This is because doing it through the Activity Manager also makes sure that the app has been shut down first, which is quite a desirable invariant for restore handling.
2009-08-06 14:57:53 -07:00
try {
mActivityManager.clearApplicationUserData(packageName, observer);
} catch (RemoteException e) {
// can't happen because the activity manager is in this process
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// only wait 10 seconds for the clear data to happen
long timeoutMark = System.currentTimeMillis() + TIMEOUT_INTERVAL;
while (mClearingData && (System.currentTimeMillis() < timeoutMark)) {
try {
mClearDataLock.wait(5000);
} catch (InterruptedException e) {
// won't happen, but still.
mClearingData = false;
}
}
}
}
class ClearDataObserver extends IPackageDataObserver.Stub {
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
public void onRemoveCompleted(String packageName, boolean succeeded) {
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
synchronized(mClearDataLock) {
mClearingData = false;
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
mClearDataLock.notifyAll();
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
}
}
}
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
// Get the restore-set token for the best-available restore set for this package:
// the active set if possible, else the ancestral one. Returns zero if none available.
long getAvailableRestoreToken(String packageName) {
long token = mAncestralToken;
synchronized (mQueueLock) {
if (mEverStoredApps.contains(packageName)) {
token = mCurrentToken;
}
}
return token;
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// -----
// Utility methods used by the asynchronous-with-timeout backup/restore operations
boolean waitUntilOperationComplete(int token) {
int finalState = OP_PENDING;
synchronized (mCurrentOpLock) {
try {
while ((finalState = mCurrentOperations.get(token, OP_TIMEOUT)) == OP_PENDING) {
try {
mCurrentOpLock.wait();
} catch (InterruptedException e) {}
}
} catch (IndexOutOfBoundsException e) {
// the operation has been mysteriously cleared from our
// bookkeeping -- consider this a success and ignore it.
}
}
mBackupHandler.removeMessages(MSG_TIMEOUT);
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, "operation " + Integer.toHexString(token)
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
+ " complete: finalState=" + finalState);
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
return finalState == OP_ACKNOWLEDGED;
}
void prepareOperationTimeout(int token, long interval) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, "starting timeout: token=" + Integer.toHexString(token)
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
+ " interval=" + interval);
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
synchronized (mCurrentOpLock) {
mCurrentOperations.put(token, OP_PENDING);
Message msg = mBackupHandler.obtainMessage(MSG_TIMEOUT, token, 0);
mBackupHandler.sendMessageDelayed(msg, interval);
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
// ----- Back up a set of applications via a worker thread -----
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
class PerformBackupTask implements Runnable {
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
private static final String TAG = "PerformBackupThread";
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
IBackupTransport mTransport;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
ArrayList<BackupRequest> mQueue;
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
File mStateDir;
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
File mJournal;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
public PerformBackupTask(IBackupTransport transport, ArrayList<BackupRequest> queue,
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
File journal) {
Hold the current transport instantiated all the time. We no longer instantiate the transport just for the duration of handling a backup or restore operation. Instead, we hold the object forever (replacing it if instructed to do so). This makes it easier for transports to watch system state and help set backup timing policy. Also fixes up the IBackupTransport documentation a bit.
2009-06-16 18:25:46 -07:00
mTransport = transport;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
mQueue = queue;
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
mJournal = journal;
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
try {
mStateDir = new File(mBaseStateDir, transport.transportDirName());
} catch (RemoteException e) {
// can't happen; the transport is local
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
public void run() {
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
int status = BackupConstants.TRANSPORT_OK;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
long startRealtime = SystemClock.elapsedRealtime();
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Beginning backup of " + mQueue.size() + " targets");
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Run backups at background priority
2009-06-30 16:11:49 -07:00
// Backups run at background priority
Process.setThreadPriority(Process.THREAD_PRIORITY_BACKGROUND);
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
try {
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_START, mTransport.transportDirName());
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
// If we haven't stored package manager metadata yet, we must init the transport.
File pmState = new File(mStateDir, PACKAGE_MANAGER_SENTINEL);
if (status == BackupConstants.TRANSPORT_OK && pmState.length() <= 0) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.i(TAG, "Initializing (wiping) backup state and transport storage");
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
resetBackupState(mStateDir); // Just to make sure.
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
status = mTransport.initializeDevice();
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
if (status == BackupConstants.TRANSPORT_OK) {
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_INITIALIZE);
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
} else {
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(initialize)");
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Transport error in initializeDevice()");
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
}
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
// The package manager doesn't have a proper <application> etc, but since
// it's running here in the system process we can just set up its agent
// directly and use a synthetic BackupRequest. We always run this pass
// because it's cheap and this way we guarantee that we don't get out of
// step even if we're selecting among various transports at run time.
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (status == BackupConstants.TRANSPORT_OK) {
PackageManagerBackupAgent pmAgent = new PackageManagerBackupAgent(
mPackageManager, allAgentPackages());
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
BackupRequest pmRequest = new BackupRequest(new ApplicationInfo());
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
pmRequest.appInfo.packageName = PACKAGE_MANAGER_SENTINEL;
status = processOneBackup(pmRequest,
IBackupAgent.Stub.asInterface(pmAgent.onBind()), mTransport);
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (status == BackupConstants.TRANSPORT_OK) {
// Now run all the backups in our queue
status = doQueuedBackups(mTransport);
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (status == BackupConstants.TRANSPORT_OK) {
// Tell the transport to finish everything it has buffered
status = mTransport.finishBackup();
if (status == BackupConstants.TRANSPORT_OK) {
int millis = (int) (SystemClock.elapsedRealtime() - startRealtime);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_SUCCESS, mQueue.size(), millis);
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
} else {
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(finish)");
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Transport error in finishBackup()");
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
}
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (status == BackupConstants.TRANSPORT_NOT_INITIALIZED) {
// The backend reports that our dataset has been wiped. We need to
// reset all of our bookkeeping and instead run a new backup pass for
Get rid of now-superfluous "backup or restore in progress" tracking Now that backup/restore/etc operations are queued and serialized, we no longer need to use external state tracking to prevent overlapping operations. Change-Id: I14f2a5d740cb97ae062aad55a06f49a2be5dd985
2010-02-02 15:18:58 -08:00
// everything.
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_RESET, mTransport.transportDirName());
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
resetBackupState(mStateDir);
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error in backup thread", e);
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
status = BackupConstants.TRANSPORT_ERROR;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} finally {
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// If everything actually went through and this is the first time we've
// done a backup, we can now record what the current backup dataset token
// is.
Properly note the current active restore set's token Bug: 2796780 Change-Id: Iad601ed96ae73cf34910a276350712e6af19bb4e
2010-06-24 15:58:01 -07:00
if ((mCurrentToken == 0) && (status == BackupConstants.TRANSPORT_OK)) {
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
try {
mCurrentToken = mTransport.getCurrentRestoreSet();
} catch (RemoteException e) { /* cannot happen */ }
writeRestoreTokens();
}
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
// If things went wrong, we need to re-stage the apps we had expected
// to be backing up in this pass. This journals the package names in
// the current active pending-backup file, not in the we are holding
// here in mJournal.
if (status != BackupConstants.TRANSPORT_OK) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Backup pass unsuccessful, restaging");
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
for (BackupRequest req : mQueue) {
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
dataChangedImpl(req.appInfo.packageName);
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
}
Disallow concurrent backups; consult transport requestBackupTime() * We now check for in-progress backups when asked to perform one, and don't bother firing off another one concurrently (nor do we adjust the scheduling; after all, someone asked to do a backup "now" and we're doing one, so we are in line with expectations). We also defer backup passes while a restore is in flight, and abort attempts to perform a restore during a backup pass. * When a backup attempt fails, we now ask the transport how far in the future we should put our retry. Previously we were simply not bothering to consult with the transport, so we would wind up retrying backup while network connectivity was known to be down, etc. Change-Id: Ic7758010b74e06e90c50d46b7b0dd01b17af7c90
2009-09-24 18:01:46 -07:00
// We also want to reset the backup schedule based on whatever
// the transport suggests by way of retry/backoff time.
try {
startBackupAlarmsLocked(mTransport.requestBackupTime());
} catch (RemoteException e) { /* cannot happen */ }
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
}
// Either backup was successful, in which case we of course do not need
// this pass's journal any more; or it failed, in which case we just
// re-enqueued all of these packages in the current active journal.
// Either way, we no longer need this pass's journal.
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
if (mJournal != null && !mJournal.delete()) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Unable to remove backup journal file " + mJournal);
If backup fails, reenqueue all of the affected packages for next time.
2009-09-22 11:14:17 -07:00
}
Get rid of now-superfluous "backup or restore in progress" tracking Now that backup/restore/etc operations are queued and serialized, we no longer need to use external state tracking to prevent overlapping operations. Change-Id: I14f2a5d740cb97ae062aad55a06f49a2be5dd985
2010-02-02 15:18:58 -08:00
// Only once we're entirely finished do we release the wakelock
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
if (status == BackupConstants.TRANSPORT_NOT_INITIALIZED) {
backupNow();
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
mWakelock.release();
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
private int doQueuedBackups(IBackupTransport transport) {
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
for (BackupRequest request : mQueue) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "starting agent for backup of " + request);
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
// Verify that the requested app exists; it might be something that
// requested a backup but was then uninstalled. The request was
// journalled and rather than tamper with the journal it's safer
// to sanity-check here.
try {
mPackageManager.getPackageInfo(request.appInfo.packageName, 0);
} catch (NameNotFoundException e) {
Slog.d(TAG, "Package does not exist; skipping");
continue;
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
IBackupAgent agent = null;
try {
Track client requests through location manager. This fixes a problem where applications could ask the location manager to do very heavy-weight things (like... say... update location every minute), which would get accounted against the system instead of the application because ultimately it is the system making the heavy calls (wake locks, etc). To solve this, we introduce a new class WorkSource representing the source of some work. Wake locks and Wifi locks allow you to set the source to use (but only if you are system code and thus can get the permission to do so), which is what will be reported to the battery stats until the actual caller. For the initial implementation, the location manager keeps track of all clients requesting periodic updates, and tells its providers about them as a WorkSource param when setting their min update time. The network location provider uses this to set the source on the wake and wifi locks it acquires, when doing work because of the update period. This should also be used elsewhere, such as in the GPS provider, but this is a good start. Change-Id: I2b6ffafad9e90ecf15d7c502e2db675fd52ae3cf
2010-09-10 18:43:00 -07:00
mWakelock.setWorkSource(new WorkSource(request.appInfo.uid));
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
agent = bindToAgentSynchronous(request.appInfo,
IApplicationThread.BACKUP_MODE_INCREMENTAL);
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
if (agent != null) {
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
int result = processOneBackup(request, agent, transport);
if (result != BackupConstants.TRANSPORT_OK) return result;
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
}
} catch (SecurityException ex) {
// Try for the next one.
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "error in bind/backup", ex);
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
} finally {
try { // unbind even on timeout, just in case
mActivityManager.unbindBackupAgent(request.appInfo);
} catch (RemoteException e) {}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
}
}
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
Track client requests through location manager. This fixes a problem where applications could ask the location manager to do very heavy-weight things (like... say... update location every minute), which would get accounted against the system instead of the application because ultimately it is the system making the heavy calls (wake locks, etc). To solve this, we introduce a new class WorkSource representing the source of some work. Wake locks and Wifi locks allow you to set the source to use (but only if you are system code and thus can get the permission to do so), which is what will be reported to the battery stats until the actual caller. For the initial implementation, the location manager keeps track of all clients requesting periodic updates, and tells its providers about them as a WorkSource param when setting their min update time. The network location provider uses this to set the source on the wake and wifi locks it acquires, when doing work because of the update period. This should also be used elsewhere, such as in the GPS provider, but this is a good start. Change-Id: I2b6ffafad9e90ecf15d7c502e2db675fd52ae3cf
2010-09-10 18:43:00 -07:00
mWakelock.setWorkSource(null);
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
return BackupConstants.TRANSPORT_OK;
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
}
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
private int processOneBackup(BackupRequest request, IBackupAgent agent,
IBackupTransport transport) {
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
final String packageName = request.appInfo.packageName;
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.d(TAG, "processOneBackup doBackup() on " + packageName);
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
File savedStateName = new File(mStateDir, packageName);
File backupDataName = new File(mDataDir, packageName + ".data");
File newStateName = new File(mStateDir, packageName + ".new");
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
ParcelFileDescriptor savedState = null;
ParcelFileDescriptor backupData = null;
ParcelFileDescriptor newState = null;
PackageInfo packInfo;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
final int token = generateToken();
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
try {
// Look up the package info & signatures. This is first so that if it
// throws an exception, there's no file setup yet that would need to
// be unraveled.
Use signatures on restore On restore now, the backup manager gets the signature blocks corresponding to the restore set from the transport. It then validates those signatures against the on-device app signatures, and refuses to restore data to an app whose on-device sig block does not match the backup image's. Also actually implement 'bmgr transport N' so that we can select the local transport easily during runtime.
2009-06-18 18:35:32 -07:00
if (packageName.equals(PACKAGE_MANAGER_SENTINEL)) {
// The metadata 'package' is synthetic
packInfo = new PackageInfo();
packInfo.packageName = packageName;
} else {
packInfo = mPackageManager.getPackageInfo(packageName,
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
PackageManager.GET_SIGNATURES);
Use signatures on restore On restore now, the backup manager gets the signature blocks corresponding to the restore set from the transport. It then validates those signatures against the on-device app signatures, and refuses to restore data to an app whose on-device sig block does not match the backup image's. Also actually implement 'bmgr transport N' so that we can select the local transport easily during runtime.
2009-06-18 18:35:32 -07:00
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// In a full backup, we pass a null ParcelFileDescriptor as
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// the saved-state "file". This is by definition an incremental,
// so we build a saved state file to pass.
savedState = ParcelFileDescriptor.open(savedStateName,
ParcelFileDescriptor.MODE_READ_ONLY |
ParcelFileDescriptor.MODE_CREATE); // Make an empty file if necessary
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
backupData = ParcelFileDescriptor.open(backupDataName,
ParcelFileDescriptor.MODE_READ_WRITE |
ParcelFileDescriptor.MODE_CREATE |
ParcelFileDescriptor.MODE_TRUNCATE);
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
newState = ParcelFileDescriptor.open(newStateName,
ParcelFileDescriptor.MODE_READ_WRITE |
ParcelFileDescriptor.MODE_CREATE |
ParcelFileDescriptor.MODE_TRUNCATE);
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// Initiate the target's backup pass
prepareOperationTimeout(token, TIMEOUT_BACKUP_INTERVAL);
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
agent.doBackup(savedState, backupData, newState, token, mBackupManagerBinder);
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
boolean success = waitUntilOperationComplete(token);
if (!success) {
// timeout -- bail out into the failed-transaction logic
throw new RuntimeException("Backup timeout");
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
logBackupComplete(packageName);
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "doBackup() success");
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error backing up " + packageName, e);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, packageName, e.toString());
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
backupDataName.delete();
newStateName.delete();
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
return BackupConstants.TRANSPORT_ERROR;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} finally {
try { if (savedState != null) savedState.close(); } catch (IOException e) {}
try { if (backupData != null) backupData.close(); } catch (IOException e) {}
try { if (newState != null) newState.close(); } catch (IOException e) {}
savedState = backupData = newState = null;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
synchronized (mCurrentOpLock) {
mCurrentOperations.clear();
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
// Now propagate the newly-backed-up data to the transport
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
int result = BackupConstants.TRANSPORT_OK;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
try {
int size = (int) backupDataName.length();
if (size > 0) {
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (result == BackupConstants.TRANSPORT_OK) {
backupData = ParcelFileDescriptor.open(backupDataName,
ParcelFileDescriptor.MODE_READ_ONLY);
result = transport.performBackup(packInfo, backupData);
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
Inefficient but correct fix for 2122381: call finishBackup after every performBackup
2009-09-17 16:17:55 -07:00
// TODO - We call finishBackup() for each application backed up, because
// we need to know now whether it succeeded or failed. Instead, we should
// hold off on finishBackup() until the end, which implies holding off on
// renaming *all* the output state files (see below) until that happens.
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (result == BackupConstants.TRANSPORT_OK) {
result = transport.finishBackup();
Inefficient but correct fix for 2122381: call finishBackup after every performBackup
2009-09-17 16:17:55 -07:00
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.i(TAG, "no backup data written; not calling transport");
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
}
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
// After successful transport, delete the now-stale data
// and juggle the files so that next time we supply the agent
// with the new state file it just created.
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (result == BackupConstants.TRANSPORT_OK) {
backupDataName.delete();
newStateName.renameTo(savedStateName);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_PACKAGE, packageName, size);
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
} else {
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, packageName);
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Transport error backing up " + packageName, e);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, packageName);
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
result = BackupConstants.TRANSPORT_ERROR;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} finally {
try { if (backupData != null) backupData.close(); } catch (IOException e) {}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
}
Reset backup tracking in response to transport data-wipe notification When attempting a backup, the transport may inform us that the backend is in an uninitialized state. This typically means that the device's data has been wiped after a period [e.g. 90 days] of inactivity. This means that we need to re-store all data subject to backup, and all of our incremental state tracking on the device is now stale. In response, we wipe all of our recorded backup state and restart the backup pass on all participants.
2009-09-21 10:12:59 -07:00
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
return result;
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
}
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// ----- Full backup to a file/socket -----
class PerformFullBackupTask implements Runnable {
ParcelFileDescriptor mOutputFile;
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
DeflaterOutputStream mDeflater;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
IFullBackupRestoreObserver mObserver;
boolean mIncludeApks;
boolean mIncludeShared;
boolean mAllApps;
String[] mPackages;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
String mCurrentPassword;
String mEncryptPassword;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
AtomicBoolean mLatchObject;
File mFilesDir;
File mManifestFile;
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
class FullBackupRunner implements Runnable {
PackageInfo mPackage;
IBackupAgent mAgent;
ParcelFileDescriptor mPipe;
int mToken;
boolean mSendApk;
FullBackupRunner(PackageInfo pack, IBackupAgent agent, ParcelFileDescriptor pipe,
int token, boolean sendApk) throws IOException {
mPackage = pack;
mAgent = agent;
mPipe = ParcelFileDescriptor.dup(pipe.getFileDescriptor());
mToken = token;
mSendApk = sendApk;
}
@Override
public void run() {
try {
BackupDataOutput output = new BackupDataOutput(
mPipe.getFileDescriptor());
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "Writing manifest for " + mPackage.packageName);
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
writeAppManifest(mPackage, mManifestFile, mSendApk);
FullBackup.backupToTar(mPackage.packageName, null, null,
mFilesDir.getAbsolutePath(),
mManifestFile.getAbsolutePath(),
output);
if (mSendApk) {
writeApkToBackup(mPackage, output);
}
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (DEBUG) Slog.d(TAG, "Calling doFullBackup() on " + mPackage.packageName);
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
prepareOperationTimeout(mToken, TIMEOUT_FULL_BACKUP_INTERVAL);
mAgent.doFullBackup(mPipe, mToken, mBackupManagerBinder);
} catch (IOException e) {
Slog.e(TAG, "Error running full backup for " + mPackage.packageName);
} catch (RemoteException e) {
Slog.e(TAG, "Remote agent vanished during full backup of "
+ mPackage.packageName);
} finally {
try {
mPipe.close();
} catch (IOException e) {}
}
}
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
PerformFullBackupTask(ParcelFileDescriptor fd, IFullBackupRestoreObserver observer,
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
boolean includeApks, boolean includeShared, String curPassword,
String encryptPassword, boolean doAllApps, String[] packages,
AtomicBoolean latch) {
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
mOutputFile = fd;
mObserver = observer;
mIncludeApks = includeApks;
mIncludeShared = includeShared;
mAllApps = doAllApps;
mPackages = packages;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
mCurrentPassword = curPassword;
// when backing up, if there is a current backup password, we require that
// the user use a nonempty encryption password as well. if one is supplied
// in the UI we use that, but if the UI was left empty we fall back to the
// current backup password (which was supplied by the user as well).
if (encryptPassword == null || "".equals(encryptPassword)) {
mEncryptPassword = curPassword;
} else {
mEncryptPassword = encryptPassword;
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
mLatchObject = latch;
mFilesDir = new File("/data/system");
mManifestFile = new File(mFilesDir, BACKUP_MANIFEST_FILENAME);
}
@Override
public void run() {
final List<PackageInfo> packagesToBackup;
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
Slog.i(TAG, "--- Performing full-dataset backup ---");
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
sendStartBackup();
// doAllApps supersedes the package set if any
if (mAllApps) {
packagesToBackup = mPackageManager.getInstalledPackages(
PackageManager.GET_SIGNATURES);
} else {
packagesToBackup = new ArrayList<PackageInfo>();
for (String pkgName : mPackages) {
try {
packagesToBackup.add(mPackageManager.getPackageInfo(pkgName,
PackageManager.GET_SIGNATURES));
} catch (NameNotFoundException e) {
Slog.w(TAG, "Unknown package " + pkgName + ", skipping");
}
}
}
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
// Cull any packages that have indicated that backups are not permitted.
for (int i = 0; i < packagesToBackup.size(); ) {
PackageInfo info = packagesToBackup.get(i);
if ((info.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_BACKUP) == 0) {
packagesToBackup.remove(i);
} else {
i++;
}
}
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
FileOutputStream ofstream = new FileOutputStream(mOutputFile.getFileDescriptor());
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
OutputStream out = null;
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
PackageInfo pkg = null;
try {
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
boolean encrypting = (mEncryptPassword != null && mEncryptPassword.length() > 0);
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
boolean compressing = COMPRESS_FULL_BACKUPS;
OutputStream finalOutput = ofstream;
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
// Write the global file header. All strings are UTF-8 encoded; lines end
// with a '\n' byte. Actual backup data begins immediately following the
// final '\n'.
//
// line 1: "ANDROID BACKUP"
// line 2: backup file format version, currently "1"
// line 3: compressed? "0" if not compressed, "1" if compressed.
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// line 4: name of encryption algorithm [currently only "none" or "AES-256"]
//
// When line 4 is not "none", then additional header data follows:
//
// line 5: user password salt [hex]
// line 6: master key checksum salt [hex]
// line 7: number of PBKDF2 rounds to use (same for user & master) [decimal]
// line 8: IV of the user key [hex]
// line 9: master key blob [hex]
// IV of the master key, master key itself, master key checksum hash
//
// The master key checksum is the master key plus its checksum salt, run through
// 10k rounds of PBKDF2. This is used to verify that the user has supplied the
// correct password for decrypting the archive: the master key decrypted from
// the archive using the user-supplied password is also run through PBKDF2 in
// this way, and if the result does not match the checksum as stored in the
// archive, then we know that the user-supplied password does not match the
// archive's.
StringBuilder headerbuf = new StringBuilder(1024);
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
headerbuf.append(BACKUP_FILE_HEADER_MAGIC);
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
headerbuf.append(BACKUP_FILE_VERSION); // integer, no trailing \n
headerbuf.append(compressing ? "\n1\n" : "\n0\n");
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
try {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// Set up the encryption stage if appropriate, and emit the correct header
if (encrypting) {
// Verify that the given password matches the currently-active
// backup password, if any
if (hasBackupPassword()) {
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
if (!passwordMatchesSaved(mCurrentPassword, PBKDF2_HASH_ROUNDS)) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
return;
}
}
finalOutput = emitAesBackupHeader(headerbuf, finalOutput);
} else {
headerbuf.append("none\n");
}
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
byte[] header = headerbuf.toString().getBytes("UTF-8");
ofstream.write(header);
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// Set up the compression stage feeding into the encryption stage (if any)
if (compressing) {
Deflater deflater = new Deflater(Deflater.BEST_COMPRESSION);
finalOutput = new DeflaterOutputStream(finalOutput, deflater, true);
}
out = finalOutput;
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
} catch (Exception e) {
// Should never happen!
Slog.e(TAG, "Unable to emit archive header", e);
return;
}
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
// Now back up the app data via the agent mechanism
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
int N = packagesToBackup.size();
for (int i = 0; i < N; i++) {
pkg = packagesToBackup.get(i);
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
backupOnePackage(pkg, out);
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
// Finally, shared storage if requested
if (mIncludeShared) {
backupSharedStorage();
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
}
} catch (RemoteException e) {
Slog.e(TAG, "App died during full backup");
} finally {
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
tearDown(pkg);
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
try {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
if (out != null) out.close();
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
mOutputFile.close();
} catch (IOException e) {
/* nothing we can do about this */
}
synchronized (mCurrentOpLock) {
mCurrentOperations.clear();
}
synchronized (mLatchObject) {
mLatchObject.set(true);
mLatchObject.notifyAll();
}
sendEndBackup();
mWakelock.release();
if (DEBUG) Slog.d(TAG, "Full backup pass complete.");
}
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
private OutputStream emitAesBackupHeader(StringBuilder headerbuf,
OutputStream ofstream) throws Exception {
// User key will be used to encrypt the master key.
byte[] newUserSalt = randomBytes(PBKDF2_SALT_SIZE);
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
SecretKey userKey = buildPasswordKey(mEncryptPassword, newUserSalt,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
PBKDF2_HASH_ROUNDS);
// the master key is random for each backup
byte[] masterPw = new byte[256 / 8];
mRng.nextBytes(masterPw);
byte[] checksumSalt = randomBytes(PBKDF2_SALT_SIZE);
// primary encryption of the datastream with the random key
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKeySpec masterKeySpec = new SecretKeySpec(masterPw, "AES");
c.init(Cipher.ENCRYPT_MODE, masterKeySpec);
OutputStream finalOutput = new CipherOutputStream(ofstream, c);
// line 4: name of encryption algorithm
headerbuf.append(ENCRYPTION_ALGORITHM_NAME);
headerbuf.append('\n');
// line 5: user password salt [hex]
headerbuf.append(byteArrayToHex(newUserSalt));
headerbuf.append('\n');
// line 6: master key checksum salt [hex]
headerbuf.append(byteArrayToHex(checksumSalt));
headerbuf.append('\n');
// line 7: number of PBKDF2 rounds used [decimal]
headerbuf.append(PBKDF2_HASH_ROUNDS);
headerbuf.append('\n');
// line 8: IV of the user key [hex]
Cipher mkC = Cipher.getInstance("AES/CBC/PKCS5Padding");
mkC.init(Cipher.ENCRYPT_MODE, userKey);
byte[] IV = mkC.getIV();
headerbuf.append(byteArrayToHex(IV));
headerbuf.append('\n');
// line 9: master IV + key blob, encrypted by the user key [hex]. Blob format:
// [byte] IV length = Niv
// [array of Niv bytes] IV itself
// [byte] master key length = Nmk
// [array of Nmk bytes] master key itself
// [byte] MK checksum hash length = Nck
// [array of Nck bytes] master key checksum hash
//
// The checksum is the (master key + checksum salt), run through the
// stated number of PBKDF2 rounds
IV = c.getIV();
byte[] mk = masterKeySpec.getEncoded();
byte[] checksum = makeKeyChecksum(masterKeySpec.getEncoded(),
checksumSalt, PBKDF2_HASH_ROUNDS);
ByteArrayOutputStream blob = new ByteArrayOutputStream(IV.length + mk.length
+ checksum.length + 3);
DataOutputStream mkOut = new DataOutputStream(blob);
mkOut.writeByte(IV.length);
mkOut.write(IV);
mkOut.writeByte(mk.length);
mkOut.write(mk);
mkOut.writeByte(checksum.length);
mkOut.write(checksum);
mkOut.flush();
byte[] encryptedMk = mkC.doFinal(blob.toByteArray());
headerbuf.append(byteArrayToHex(encryptedMk));
headerbuf.append('\n');
return finalOutput;
}
private void backupOnePackage(PackageInfo pkg, OutputStream out)
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
throws RemoteException {
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
Slog.d(TAG, "Binding to full backup agent : " + pkg.packageName);
IBackupAgent agent = bindToAgentSynchronous(pkg.applicationInfo,
IApplicationThread.BACKUP_MODE_FULL);
if (agent != null) {
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
ParcelFileDescriptor[] pipes = null;
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
try {
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
pipes = ParcelFileDescriptor.createPipe();
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
ApplicationInfo app = pkg.applicationInfo;
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
final boolean sendApk = mIncludeApks
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
&& ((app.flags & ApplicationInfo.FLAG_FORWARD_LOCK) == 0)
&& ((app.flags & ApplicationInfo.FLAG_SYSTEM) == 0 ||
(app.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0);
sendOnBackupPackage(pkg.packageName);
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
final int token = generateToken();
FullBackupRunner runner = new FullBackupRunner(pkg, agent, pipes[1],
token, sendApk);
pipes[1].close(); // the runner has dup'd it
pipes[1] = null;
Thread t = new Thread(runner);
t.start();
// Now pull data from the app and stuff it into the compressor
try {
FileInputStream raw = new FileInputStream(pipes[0].getFileDescriptor());
DataInputStream in = new DataInputStream(raw);
byte[] buffer = new byte[16 * 1024];
int chunkTotal;
while ((chunkTotal = in.readInt()) > 0) {
while (chunkTotal > 0) {
int toRead = (chunkTotal > buffer.length)
? buffer.length : chunkTotal;
int nRead = in.read(buffer, 0, toRead);
out.write(buffer, 0, nRead);
chunkTotal -= nRead;
}
}
} catch (IOException e) {
Slog.i(TAG, "Caught exception reading from agent", e);
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
}
if (!waitUntilOperationComplete(token)) {
Slog.e(TAG, "Full backup failed on package " + pkg.packageName);
} else {
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
if (DEBUG) Slog.d(TAG, "Full package backup success: " + pkg.packageName);
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
}
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
} catch (IOException e) {
Slog.e(TAG, "Error backing up " + pkg.packageName, e);
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
} finally {
try {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// flush after every package
out.flush();
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
if (pipes != null) {
if (pipes[0] != null) pipes[0].close();
if (pipes[1] != null) pipes[1].close();
}
} catch (IOException e) {
Slog.w(TAG, "Error bringing down backup stack");
}
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
}
} else {
Slog.w(TAG, "Unable to bind to full agent for " + pkg.packageName);
}
tearDown(pkg);
}
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
private void writeApkToBackup(PackageInfo pkg, BackupDataOutput output) {
// Forward-locked apps, system-bundled .apks, etc are filtered out before we get here
final String appSourceDir = pkg.applicationInfo.sourceDir;
final String apkDir = new File(appSourceDir).getParent();
FullBackup.backupToTar(pkg.packageName, FullBackup.APK_TREE_TOKEN, null,
apkDir, appSourceDir, output);
// Save associated .obb content if it exists and we did save the apk
// check for .obb and save those too
final File obbDir = Environment.getExternalStorageAppObbDirectory(pkg.packageName);
if (obbDir != null) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Log.i(TAG, "obb dir: " + obbDir.getAbsolutePath());
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
File[] obbFiles = obbDir.listFiles();
if (obbFiles != null) {
final String obbDirName = obbDir.getAbsolutePath();
for (File obb : obbFiles) {
FullBackup.backupToTar(pkg.packageName, FullBackup.OBB_TREE_TOKEN, null,
obbDirName, obb.getAbsolutePath(), output);
}
}
}
}
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
private void backupSharedStorage() throws RemoteException {
PackageInfo pkg = null;
try {
pkg = mPackageManager.getPackageInfo("com.android.sharedstoragebackup", 0);
IBackupAgent agent = bindToAgentSynchronous(pkg.applicationInfo,
IApplicationThread.BACKUP_MODE_FULL);
if (agent != null) {
sendOnBackupPackage("Shared storage");
final int token = generateToken();
prepareOperationTimeout(token, TIMEOUT_SHARED_BACKUP_INTERVAL);
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
agent.doFullBackup(mOutputFile, token, mBackupManagerBinder);
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
if (!waitUntilOperationComplete(token)) {
Slog.e(TAG, "Full backup failed on shared storage");
} else {
if (DEBUG) Slog.d(TAG, "Full shared storage backup success");
}
} else {
Slog.e(TAG, "Could not bind to shared storage backup agent");
}
} catch (NameNotFoundException e) {
Slog.e(TAG, "Shared storage backup package not found");
} finally {
tearDown(pkg);
}
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
private void writeAppManifest(PackageInfo pkg, File manifestFile, boolean withApk)
throws IOException {
// Manifest format. All data are strings ending in LF:
// BACKUP_MANIFEST_VERSION, currently 1
//
// Version 1:
// package name
// package's versionCode
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// platform versionCode
// getInstallerPackageName() for this package (maybe empty)
// boolean: "1" if archive includes .apk; any other string means not
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// number of signatures == N
// N*: signature byte array in ascii format per Signature.toCharsString()
StringBuilder builder = new StringBuilder(4096);
StringBuilderPrinter printer = new StringBuilderPrinter(builder);
printer.println(Integer.toString(BACKUP_MANIFEST_VERSION));
printer.println(pkg.packageName);
printer.println(Integer.toString(pkg.versionCode));
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
printer.println(Integer.toString(Build.VERSION.SDK_INT));
String installerName = mPackageManager.getInstallerPackageName(pkg.packageName);
printer.println((installerName != null) ? installerName : "");
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
printer.println(withApk ? "1" : "0");
if (pkg.signatures == null) {
printer.println("0");
} else {
printer.println(Integer.toString(pkg.signatures.length));
for (Signature sig : pkg.signatures) {
printer.println(sig.toCharsString());
}
}
FileOutputStream outstream = new FileOutputStream(manifestFile);
outstream.write(builder.toString().getBytes());
outstream.close();
}
private void tearDown(PackageInfo pkg) {
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
if (pkg != null) {
final ApplicationInfo app = pkg.applicationInfo;
if (app != null) {
try {
// unbind and tidy up even on timeout or failure, just in case
mActivityManager.unbindBackupAgent(app);
// The agent was running with a stub Application object, so shut it down.
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
if (app.uid != Process.SYSTEM_UID
&& app.uid != Process.PHONE_UID) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "Backup complete, killing host process");
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
mActivityManager.killApplicationProcess(app.processName, app.uid);
} else {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "Not killing after restore: " + app.processName);
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
}
} catch (RemoteException e) {
Slog.d(TAG, "Lost app trying to shut down");
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
}
}
}
// wrappers for observer use
void sendStartBackup() {
if (mObserver != null) {
try {
mObserver.onStartBackup();
} catch (RemoteException e) {
Slog.w(TAG, "full backup observer went away: startBackup");
mObserver = null;
}
}
}
void sendOnBackupPackage(String name) {
if (mObserver != null) {
try {
// TODO: use a more user-friendly name string
mObserver.onBackupPackage(name);
} catch (RemoteException e) {
Slog.w(TAG, "full backup observer went away: backupPackage");
mObserver = null;
}
}
}
void sendEndBackup() {
if (mObserver != null) {
try {
mObserver.onEndBackup();
} catch (RemoteException e) {
Slog.w(TAG, "full backup observer went away: endBackup");
mObserver = null;
}
}
}
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// ----- Full restore from a file/socket -----
// Description of a file in the restore datastream
static class FileMetadata {
String packageName; // name of the owning app
String installerPackageName; // name of the market-type app that installed the owner
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
int type; // e.g. BackupAgent.TYPE_DIRECTORY
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
String domain; // e.g. FullBackup.DATABASE_TREE_TOKEN
String path; // subpath within the semantic domain
long mode; // e.g. 0666 (actually int)
long mtime; // last mod time, UTC time_t (actually int)
long size; // bytes of content
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
@Override
public String toString() {
StringBuilder sb = new StringBuilder(128);
sb.append("FileMetadata{");
sb.append(packageName); sb.append(',');
sb.append(type); sb.append(',');
sb.append(domain); sb.append(':'); sb.append(path); sb.append(',');
sb.append(size);
sb.append('}');
return sb.toString();
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
enum RestorePolicy {
IGNORE,
ACCEPT,
ACCEPT_IF_APK
}
class PerformFullRestoreTask implements Runnable {
ParcelFileDescriptor mInputFile;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
String mCurrentPassword;
String mDecryptPassword;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
IFullBackupRestoreObserver mObserver;
AtomicBoolean mLatchObject;
IBackupAgent mAgent;
String mAgentPackage;
ApplicationInfo mTargetApp;
ParcelFileDescriptor[] mPipes = null;
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
long mBytes;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// possible handling states for a given package in the restore dataset
final HashMap<String, RestorePolicy> mPackagePolicies
= new HashMap<String, RestorePolicy>();
// installer package names for each encountered app, derived from the manifests
final HashMap<String, String> mPackageInstallers = new HashMap<String, String>();
// Signatures for a given package found in its manifest file
final HashMap<String, Signature[]> mManifestSignatures
= new HashMap<String, Signature[]>();
// Packages we've already wiped data on when restoring their first file
final HashSet<String> mClearedPackages = new HashSet<String>();
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
PerformFullRestoreTask(ParcelFileDescriptor fd, String curPassword, String decryptPassword,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
IFullBackupRestoreObserver observer, AtomicBoolean latch) {
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
mInputFile = fd;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
mCurrentPassword = curPassword;
mDecryptPassword = decryptPassword;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
mObserver = observer;
mLatchObject = latch;
mAgent = null;
mAgentPackage = null;
mTargetApp = null;
// Which packages we've already wiped data on. We prepopulate this
// with a whitelist of packages known to be unclearable.
mClearedPackages.add("android");
mClearedPackages.add("com.android.providers.settings");
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
class RestoreFileRunnable implements Runnable {
IBackupAgent mAgent;
FileMetadata mInfo;
ParcelFileDescriptor mSocket;
int mToken;
RestoreFileRunnable(IBackupAgent agent, FileMetadata info,
ParcelFileDescriptor socket, int token) throws IOException {
mAgent = agent;
mInfo = info;
mToken = token;
// This class is used strictly for process-local binder invocations. The
// semantics of ParcelFileDescriptor differ in this case; in particular, we
// do not automatically get a 'dup'ed descriptor that we can can continue
// to use asynchronously from the caller. So, we make sure to dup it ourselves
// before proceeding to do the restore.
mSocket = ParcelFileDescriptor.dup(socket.getFileDescriptor());
}
@Override
public void run() {
try {
mAgent.doRestoreFile(mSocket, mInfo.size, mInfo.type,
mInfo.domain, mInfo.path, mInfo.mode, mInfo.mtime,
mToken, mBackupManagerBinder);
} catch (RemoteException e) {
// never happens; this is used strictly for local binder calls
}
}
}
@Override
public void run() {
Slog.i(TAG, "--- Performing full-dataset restore ---");
sendStartRestore();
Implement shared-storage full backup/restore Every available shared-storage volume is backed up, tagged with its ordinal in the set of mounted shared volumes. This is an approximation of "internal + the external card". This lets us restore things to the same volume [or "equivalent" volume, in the case of a cross-model restore] as they originated on. Also fixed a bug in the handling of files/dirs with spaces in their names. Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
2011-06-02 15:08:13 -07:00
// Are we able to restore shared-storage data?
if (Environment.getExternalStorageState().equals(Environment.MEDIA_MOUNTED)) {
mPackagePolicies.put("com.android.sharedstoragebackup", RestorePolicy.ACCEPT);
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
FileInputStream rawInStream = null;
DataInputStream rawDataIn = null;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
try {
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
if (hasBackupPassword()) {
if (!passwordMatchesSaved(mCurrentPassword, PBKDF2_HASH_ROUNDS)) {
if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
return;
}
}
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
mBytes = 0;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
byte[] buffer = new byte[32 * 1024];
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
rawInStream = new FileInputStream(mInputFile.getFileDescriptor());
rawDataIn = new DataInputStream(rawInStream);
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
// First, parse out the unencrypted/uncompressed header
boolean compressed = false;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
InputStream preCompressStream = rawInStream;
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
final InputStream in;
boolean okay = false;
final int headerLen = BACKUP_FILE_HEADER_MAGIC.length();
byte[] streamHeader = new byte[headerLen];
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
rawDataIn.readFully(streamHeader);
byte[] magicBytes = BACKUP_FILE_HEADER_MAGIC.getBytes("UTF-8");
if (Arrays.equals(magicBytes, streamHeader)) {
// okay, header looks good. now parse out the rest of the fields.
String s = readHeaderLine(rawInStream);
if (Integer.parseInt(s) == BACKUP_FILE_VERSION) {
// okay, it's a version we recognize
s = readHeaderLine(rawInStream);
compressed = (Integer.parseInt(s) != 0);
s = readHeaderLine(rawInStream);
if (s.equals("none")) {
// no more header to parse; we're good to go
okay = true;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
} else if (mDecryptPassword != null && mDecryptPassword.length() > 0) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
preCompressStream = decodeAesHeaderAndInitialize(s, rawInStream);
if (preCompressStream != null) {
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
okay = true;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
}
} else Slog.w(TAG, "Archive is encrypted but no password given");
} else Slog.w(TAG, "Wrong header version: " + s);
} else Slog.w(TAG, "Didn't read the right header magic");
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
if (!okay) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
Slog.w(TAG, "Invalid restore data; aborting.");
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
return;
}
// okay, use the right stream layer based on compression
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
in = (compressed) ? new InflaterInputStream(preCompressStream) : preCompressStream;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
boolean didRestore;
do {
Compress the backup output stream Zlib compression, with a full flush between each application's data. Encryption will be performed on the already-compressed data once that's implemented. On restore, the streamed data is similarly uncompressed on the fly. Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
2011-07-11 11:31:57 -07:00
didRestore = restoreOneFile(in, buffer);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
} while (didRestore);
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, "Done consuming input tarfile, total bytes=" + mBytes);
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
} catch (IOException e) {
Slog.e(TAG, "Unable to read restore input");
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
} finally {
tearDownPipes();
tearDownAgent(mTargetApp);
try {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
if (rawDataIn != null) rawDataIn.close();
if (rawInStream != null) rawInStream.close();
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
mInputFile.close();
} catch (IOException e) {
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
Slog.w(TAG, "Close of restore data pipe threw", e);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
/* nothing we can do about this */
}
synchronized (mCurrentOpLock) {
mCurrentOperations.clear();
}
synchronized (mLatchObject) {
mLatchObject.set(true);
mLatchObject.notifyAll();
}
sendEndRestore();
mWakelock.release();
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
Slog.d(TAG, "Full restore pass complete.");
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
}
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
String readHeaderLine(InputStream in) throws IOException {
int c;
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
StringBuilder buffer = new StringBuilder(80);
Support for compressed backups The backup format now includes a stream header. That header begins with a magic string and version number, then includes a flag stating whether the archive data is compressed, and then in the case of encrypted archives states the password salt used during encryption key stretching. When compression is used, everything following the header is run through a standard zlib "deflate" compressor before being sent downstream. Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
2011-07-13 19:30:21 -07:00
while ((c = in.read()) >= 0) {
if (c == '\n') break; // consume and discard the newlines
buffer.append((char)c);
}
return buffer.toString();
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
InputStream decodeAesHeaderAndInitialize(String encryptionName, InputStream rawInStream) {
InputStream result = null;
try {
if (encryptionName.equals(ENCRYPTION_ALGORITHM_NAME)) {
String userSaltHex = readHeaderLine(rawInStream); // 5
byte[] userSalt = hexToByteArray(userSaltHex);
String ckSaltHex = readHeaderLine(rawInStream); // 6
byte[] ckSalt = hexToByteArray(ckSaltHex);
int rounds = Integer.parseInt(readHeaderLine(rawInStream)); // 7
String userIvHex = readHeaderLine(rawInStream); // 8
String masterKeyBlobHex = readHeaderLine(rawInStream); // 9
// decrypt the master key blob
Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
SecretKey userKey = buildPasswordKey(mDecryptPassword, userSalt,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
rounds);
byte[] IV = hexToByteArray(userIvHex);
IvParameterSpec ivSpec = new IvParameterSpec(IV);
c.init(Cipher.DECRYPT_MODE,
new SecretKeySpec(userKey.getEncoded(), "AES"),
ivSpec);
byte[] mkCipher = hexToByteArray(masterKeyBlobHex);
byte[] mkBlob = c.doFinal(mkCipher);
// first, the master key IV
int offset = 0;
int len = mkBlob[offset++];
IV = Arrays.copyOfRange(mkBlob, offset, offset + len);
offset += len;
// then the master key itself
len = mkBlob[offset++];
byte[] mk = Arrays.copyOfRange(mkBlob,
offset, offset + len);
offset += len;
// and finally the master key checksum hash
len = mkBlob[offset++];
byte[] mkChecksum = Arrays.copyOfRange(mkBlob,
offset, offset + len);
// now validate the decrypted master key against the checksum
byte[] calculatedCk = makeKeyChecksum(mk, ckSalt, rounds);
if (Arrays.equals(calculatedCk, mkChecksum)) {
ivSpec = new IvParameterSpec(IV);
c.init(Cipher.DECRYPT_MODE,
new SecretKeySpec(mk, "AES"),
ivSpec);
// Only if all of the above worked properly will 'result' be assigned
result = new CipherInputStream(rawInStream, c);
} else Slog.w(TAG, "Incorrect password");
} else Slog.w(TAG, "Unsupported encryption method: " + encryptionName);
} catch (InvalidAlgorithmParameterException e) {
Slog.e(TAG, "Needed parameter spec unavailable!", e);
} catch (BadPaddingException e) {
// This case frequently occurs when the wrong password is used to decrypt
// the master key. Use the identical "incorrect password" log text as is
// used in the checksum failure log in order to avoid providing additional
// information to an attacker.
Slog.w(TAG, "Incorrect password");
} catch (IllegalBlockSizeException e) {
Slog.w(TAG, "Invalid block size in master key");
} catch (NoSuchAlgorithmException e) {
Slog.e(TAG, "Needed decryption algorithm unavailable!");
} catch (NoSuchPaddingException e) {
Slog.e(TAG, "Needed padding mechanism unavailable!");
} catch (InvalidKeyException e) {
Slog.w(TAG, "Illegal password; aborting");
} catch (NumberFormatException e) {
Slog.w(TAG, "Can't parse restore data header");
} catch (IOException e) {
Slog.w(TAG, "Can't read input header");
}
return result;
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
boolean restoreOneFile(InputStream instream, byte[] buffer) {
FileMetadata info;
try {
info = readTarHeaders(instream);
if (info != null) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) {
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
dumpFileMetadata(info);
}
final String pkg = info.packageName;
if (!pkg.equals(mAgentPackage)) {
// okay, change in package; set up our various
// bookkeeping if we haven't seen it yet
if (!mPackagePolicies.containsKey(pkg)) {
mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
}
// Clean up the previous agent relationship if necessary,
// and let the observer know we're considering a new app.
if (mAgent != null) {
if (DEBUG) Slog.d(TAG, "Saw new package; tearing down old one");
tearDownPipes();
tearDownAgent(mTargetApp);
mTargetApp = null;
mAgentPackage = null;
}
}
if (info.path.equals(BACKUP_MANIFEST_FILENAME)) {
mPackagePolicies.put(pkg, readAppManifest(info, instream));
mPackageInstallers.put(pkg, info.installerPackageName);
// We've read only the manifest content itself at this point,
// so consume the footer before looping around to the next
// input file
skipTarPadding(info.size, instream);
sendOnRestorePackage(pkg);
} else {
// Non-manifest, so it's actual file data. Is this a package
// we're ignoring?
boolean okay = true;
RestorePolicy policy = mPackagePolicies.get(pkg);
switch (policy) {
case IGNORE:
okay = false;
break;
case ACCEPT_IF_APK:
// If we're in accept-if-apk state, then the first file we
// see MUST be the apk.
if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
if (DEBUG) Slog.d(TAG, "APK file; installing");
// Try to install the app.
String installerName = mPackageInstallers.get(pkg);
okay = installApk(info, installerName, instream);
// good to go; promote to ACCEPT
mPackagePolicies.put(pkg, (okay)
? RestorePolicy.ACCEPT
: RestorePolicy.IGNORE);
// At this point we've consumed this file entry
// ourselves, so just strip the tar footer and
// go on to the next file in the input stream
skipTarPadding(info.size, instream);
return true;
} else {
// File data before (or without) the apk. We can't
// handle it coherently in this case so ignore it.
mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
okay = false;
}
break;
case ACCEPT:
if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
if (DEBUG) Slog.d(TAG, "apk present but ACCEPT");
// we can take the data without the apk, so we
// *want* to do so. skip the apk by declaring this
// one file not-okay without changing the restore
// policy for the package.
okay = false;
}
break;
default:
// Something has gone dreadfully wrong when determining
// the restore policy from the manifest. Ignore the
// rest of this package's data.
Slog.e(TAG, "Invalid policy from manifest");
okay = false;
mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
break;
}
// If the policy is satisfied, go ahead and set up to pipe the
// data to the agent.
if (DEBUG && okay && mAgent != null) {
Slog.i(TAG, "Reusing existing agent instance");
}
if (okay && mAgent == null) {
if (DEBUG) Slog.d(TAG, "Need to launch agent for " + pkg);
try {
mTargetApp = mPackageManager.getApplicationInfo(pkg, 0);
// If we haven't sent any data to this app yet, we probably
// need to clear it first. Check that.
if (!mClearedPackages.contains(pkg)) {
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
// apps with their own backup agents are
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// responsible for coherently managing a full
// restore.
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
if (mTargetApp.backupAgentName == null) {
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
if (DEBUG) Slog.d(TAG, "Clearing app data preparatory to full restore");
clearApplicationDataSynchronous(pkg);
} else {
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
if (DEBUG) Slog.d(TAG, "backup agent ("
+ mTargetApp.backupAgentName + ") => no clear");
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
mClearedPackages.add(pkg);
} else {
if (DEBUG) Slog.d(TAG, "We've initialized this app already; no clear required");
}
// All set; now set up the IPC and launch the agent
setUpPipes();
mAgent = bindToAgentSynchronous(mTargetApp,
IApplicationThread.BACKUP_MODE_RESTORE_FULL);
mAgentPackage = pkg;
} catch (IOException e) {
// fall through to error handling
} catch (NameNotFoundException e) {
// fall through to error handling
}
if (mAgent == null) {
if (DEBUG) Slog.d(TAG, "Unable to create agent for " + pkg);
okay = false;
tearDownPipes();
mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
}
}
// Sanity check: make sure we never give data to the wrong app. This
// should never happen but a little paranoia here won't go amiss.
if (okay && !pkg.equals(mAgentPackage)) {
Slog.e(TAG, "Restoring data for " + pkg
+ " but agent is for " + mAgentPackage);
okay = false;
}
// At this point we have an agent ready to handle the full
// restore data as well as a pipe for sending data to
// that agent. Tell the agent to start reading from the
// pipe.
if (okay) {
boolean agentSuccess = true;
long toCopy = info.size;
final int token = generateToken();
try {
if (DEBUG) Slog.d(TAG, "Invoking agent to restore file "
+ info.path);
prepareOperationTimeout(token,
TIMEOUT_FULL_BACKUP_INTERVAL);
// fire up the app's agent listening on the socket. If
// the agent is running in the system process we can't
// just invoke it asynchronously, so we provide a thread
// for it here.
if (mTargetApp.processName.equals("system")) {
Slog.d(TAG, "system process agent - spinning a thread");
RestoreFileRunnable runner = new RestoreFileRunnable(
mAgent, info, mPipes[0], token);
new Thread(runner).start();
} else {
mAgent.doRestoreFile(mPipes[0], info.size, info.type,
info.domain, info.path, info.mode, info.mtime,
token, mBackupManagerBinder);
}
} catch (IOException e) {
// couldn't dup the socket for a process-local restore
Slog.d(TAG, "Couldn't establish restore");
agentSuccess = false;
okay = false;
} catch (RemoteException e) {
// whoops, remote agent went away. We'll eat the content
// ourselves, then, and not copy it over.
Slog.e(TAG, "Agent crashed during full restore");
agentSuccess = false;
okay = false;
}
// Copy over the data if the agent is still good
if (okay) {
boolean pipeOkay = true;
FileOutputStream pipe = new FileOutputStream(
mPipes[1].getFileDescriptor());
while (toCopy > 0) {
int toRead = (toCopy > buffer.length)
? buffer.length : (int)toCopy;
int nRead = instream.read(buffer, 0, toRead);
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
if (nRead >= 0) mBytes += nRead;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
if (nRead <= 0) break;
toCopy -= nRead;
// send it to the output pipe as long as things
// are still good
if (pipeOkay) {
try {
pipe.write(buffer, 0, nRead);
} catch (IOException e) {
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
Slog.e(TAG, "Failed to write to restore pipe", e);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
pipeOkay = false;
}
}
}
// done sending that file! Now we just need to consume
// the delta from info.size to the end of block.
skipTarPadding(info.size, instream);
// and now that we've sent it all, wait for the remote
// side to acknowledge receipt
agentSuccess = waitUntilOperationComplete(token);
}
// okay, if the remote end failed at any point, deal with
// it by ignoring the rest of the restore on it
if (!agentSuccess) {
mBackupHandler.removeMessages(MSG_TIMEOUT);
tearDownPipes();
tearDownAgent(mTargetApp);
mAgent = null;
mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
}
}
// Problems setting up the agent communication, or an already-
// ignored package: skip to the next tar stream entry by
// reading and discarding this file.
if (!okay) {
if (DEBUG) Slog.d(TAG, "[discarding file content]");
long bytesToConsume = (info.size + 511) & ~511;
while (bytesToConsume > 0) {
int toRead = (bytesToConsume > buffer.length)
? buffer.length : (int)bytesToConsume;
long nRead = instream.read(buffer, 0, toRead);
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
if (nRead >= 0) mBytes += nRead;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
if (nRead <= 0) break;
bytesToConsume -= nRead;
}
}
}
}
} catch (IOException e) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
if (DEBUG) Slog.w(TAG, "io exception on restore socket read", e);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// treat as EOF
info = null;
}
return (info != null);
}
void setUpPipes() throws IOException {
mPipes = ParcelFileDescriptor.createPipe();
}
void tearDownPipes() {
if (mPipes != null) {
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
try {
mPipes[0].close();
mPipes[0] = null;
mPipes[1].close();
mPipes[1] = null;
} catch (IOException e) {
Slog.w(TAG, "Couldn't close agent pipes", e);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
mPipes = null;
}
}
void tearDownAgent(ApplicationInfo app) {
if (mAgent != null) {
try {
// unbind and tidy up even on timeout or failure, just in case
mActivityManager.unbindBackupAgent(app);
// The agent was running with a stub Application object, so shut it down.
// !!! We hardcode the confirmation UI's package name here rather than use a
// manifest flag! TODO something less direct.
if (app.uid != Process.SYSTEM_UID
&& !app.packageName.equals("com.android.backupconfirm")) {
if (DEBUG) Slog.d(TAG, "Killing host process");
mActivityManager.killApplicationProcess(app.processName, app.uid);
} else {
if (DEBUG) Slog.d(TAG, "Not killing after full restore");
}
} catch (RemoteException e) {
Slog.d(TAG, "Lost app trying to shut down");
}
mAgent = null;
}
}
class RestoreInstallObserver extends IPackageInstallObserver.Stub {
final AtomicBoolean mDone = new AtomicBoolean();
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
String mPackageName;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
int mResult;
public void reset() {
synchronized (mDone) {
mDone.set(false);
}
}
public void waitForCompletion() {
synchronized (mDone) {
while (mDone.get() == false) {
try {
mDone.wait();
} catch (InterruptedException e) { }
}
}
}
int getResult() {
return mResult;
}
@Override
public void packageInstalled(String packageName, int returnCode)
throws RemoteException {
synchronized (mDone) {
mResult = returnCode;
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
mPackageName = packageName;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
mDone.set(true);
mDone.notifyAll();
}
}
}
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
class RestoreDeleteObserver extends IPackageDeleteObserver.Stub {
final AtomicBoolean mDone = new AtomicBoolean();
int mResult;
public void reset() {
synchronized (mDone) {
mDone.set(false);
}
}
public void waitForCompletion() {
synchronized (mDone) {
while (mDone.get() == false) {
try {
mDone.wait();
} catch (InterruptedException e) { }
}
}
}
@Override
public void packageDeleted(String packageName, int returnCode) throws RemoteException {
synchronized (mDone) {
mResult = returnCode;
mDone.set(true);
mDone.notifyAll();
}
}
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
final RestoreInstallObserver mInstallObserver = new RestoreInstallObserver();
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
final RestoreDeleteObserver mDeleteObserver = new RestoreDeleteObserver();
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
boolean installApk(FileMetadata info, String installerPackage, InputStream instream) {
boolean okay = true;
if (DEBUG) Slog.d(TAG, "Installing from backup: " + info.packageName);
// The file content is an .apk file. Copy it out to a staging location and
// attempt to install it.
File apkFile = new File(mDataDir, info.packageName);
try {
FileOutputStream apkStream = new FileOutputStream(apkFile);
byte[] buffer = new byte[32 * 1024];
long size = info.size;
while (size > 0) {
long toRead = (buffer.length < size) ? buffer.length : size;
int didRead = instream.read(buffer, 0, (int)toRead);
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
if (didRead >= 0) mBytes += didRead;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
apkStream.write(buffer, 0, didRead);
size -= didRead;
}
apkStream.close();
// make sure the installer can read it
apkFile.setReadable(true, false);
// Now install it
Uri packageUri = Uri.fromFile(apkFile);
mInstallObserver.reset();
mPackageManager.installPackage(packageUri, mInstallObserver,
PackageManager.INSTALL_REPLACE_EXISTING, installerPackage);
mInstallObserver.waitForCompletion();
if (mInstallObserver.getResult() != PackageManager.INSTALL_SUCCEEDED) {
// The only time we continue to accept install of data even if the
// apk install failed is if we had already determined that we could
// accept the data regardless.
if (mPackagePolicies.get(info.packageName) != RestorePolicy.ACCEPT) {
okay = false;
}
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
} else {
// Okay, the install succeeded. Make sure it was the right app.
boolean uninstall = false;
if (!mInstallObserver.mPackageName.equals(info.packageName)) {
Slog.w(TAG, "Restore stream claimed to include apk for "
+ info.packageName + " but apk was really "
+ mInstallObserver.mPackageName);
// delete the package we just put in place; it might be fraudulent
okay = false;
uninstall = true;
} else {
try {
PackageInfo pkg = mPackageManager.getPackageInfo(info.packageName,
PackageManager.GET_SIGNATURES);
if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_BACKUP) == 0) {
Slog.w(TAG, "Restore stream contains apk of package "
+ info.packageName + " but it disallows backup/restore");
okay = false;
} else {
// So far so good -- do the signatures match the manifest?
Signature[] sigs = mManifestSignatures.get(info.packageName);
if (!signaturesMatch(sigs, pkg)) {
Slog.w(TAG, "Installed app " + info.packageName
+ " signatures do not match restore manifest");
okay = false;
uninstall = true;
}
}
} catch (NameNotFoundException e) {
Slog.w(TAG, "Install of package " + info.packageName
+ " succeeded but now not found");
okay = false;
}
}
// If we're not okay at this point, we need to delete the package
// that we just installed.
if (uninstall) {
mDeleteObserver.reset();
mPackageManager.deletePackage(mInstallObserver.mPackageName,
mDeleteObserver, 0);
mDeleteObserver.waitForCompletion();
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
} catch (IOException e) {
Slog.e(TAG, "Unable to transcribe restored apk for install");
okay = false;
} finally {
apkFile.delete();
}
return okay;
}
// Given an actual file content size, consume the post-content padding mandated
// by the tar format.
void skipTarPadding(long size, InputStream instream) throws IOException {
long partial = (size + 512) % 512;
if (partial > 0) {
byte[] buffer = new byte[512];
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
int nRead = instream.read(buffer, 0, 512 - (int)partial);
if (nRead >= 0) mBytes += nRead;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
}
// Returns a policy constant; takes a buffer arg to reduce memory churn
RestorePolicy readAppManifest(FileMetadata info, InputStream instream)
throws IOException {
// Fail on suspiciously large manifest files
if (info.size > 64 * 1024) {
throw new IOException("Restore manifest too big; corrupt? size=" + info.size);
}
byte[] buffer = new byte[(int) info.size];
int nRead = 0;
while (nRead < info.size) {
nRead += instream.read(buffer, nRead, (int)info.size - nRead);
}
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
if (nRead >= 0) mBytes += nRead;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
RestorePolicy policy = RestorePolicy.IGNORE;
String[] str = new String[1];
int offset = 0;
try {
offset = extractLine(buffer, offset, str);
int version = Integer.parseInt(str[0]);
if (version == BACKUP_MANIFEST_VERSION) {
offset = extractLine(buffer, offset, str);
String manifestPackage = str[0];
// TODO: handle <original-package>
if (manifestPackage.equals(info.packageName)) {
offset = extractLine(buffer, offset, str);
version = Integer.parseInt(str[0]); // app version
offset = extractLine(buffer, offset, str);
int platformVersion = Integer.parseInt(str[0]);
offset = extractLine(buffer, offset, str);
info.installerPackageName = (str[0].length() > 0) ? str[0] : null;
offset = extractLine(buffer, offset, str);
boolean hasApk = str[0].equals("1");
offset = extractLine(buffer, offset, str);
int numSigs = Integer.parseInt(str[0]);
if (numSigs > 0) {
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
Signature[] sigs = new Signature[numSigs];
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
for (int i = 0; i < numSigs; i++) {
offset = extractLine(buffer, offset, str);
sigs[i] = new Signature(str[0]);
}
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
mManifestSignatures.put(info.packageName, sigs);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// Okay, got the manifest info we need...
try {
PackageInfo pkgInfo = mPackageManager.getPackageInfo(
info.packageName, PackageManager.GET_SIGNATURES);
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
// Fall through to IGNORE if the app explicitly disallows backup
final int flags = pkgInfo.applicationInfo.flags;
if ((flags & ApplicationInfo.FLAG_ALLOW_BACKUP) != 0) {
// Verify signatures against any installed version; if they
// don't match, then we fall though and ignore the data. The
// signatureMatch() method explicitly ignores the signature
// check for packages installed on the system partition, because
// such packages are signed with the platform cert instead of
// the app developer's cert, so they're different on every
// device.
if (signaturesMatch(sigs, pkgInfo)) {
if (pkgInfo.versionCode >= version) {
Slog.i(TAG, "Sig + version match; taking data");
policy = RestorePolicy.ACCEPT;
} else {
// The data is from a newer version of the app than
// is presently installed. That means we can only
// use it if the matching apk is also supplied.
Slog.d(TAG, "Data version " + version
+ " is newer than installed version "
+ pkgInfo.versionCode + " - requiring apk");
policy = RestorePolicy.ACCEPT_IF_APK;
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
} else {
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
Slog.w(TAG, "Restore manifest signatures do not match "
+ "installed application for " + info.packageName);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
Respect android:allowBackup="false" during full backup & restore Packages with this manifest attribute set 'false' will not be backed up even through the "full device backup" infrastructure. If someone produces an apparent restore file with data for such an application, it will not actually be restored onto the device. When an apk is installed during the course of a restore operation, it is validated against the manifest contents and deleted if there is a mismatch. Also, if the newly-installed app is found to disallow backups, no file content will be processed for that app. Bug 4532159 Change-Id: I59630054584b1394e567de939192e22e597044ee
2011-06-03 12:27:51 -07:00
} else {
if (DEBUG) Slog.i(TAG, "Restore manifest from "
+ info.packageName + " but allowBackup=false");
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
} catch (NameNotFoundException e) {
// Okay, the target app isn't installed. We can process
// the restore properly only if the dataset provides the
// apk file and we can successfully install it.
if (DEBUG) Slog.i(TAG, "Package " + info.packageName
+ " not installed; requiring apk in dataset");
policy = RestorePolicy.ACCEPT_IF_APK;
}
if (policy == RestorePolicy.ACCEPT_IF_APK && !hasApk) {
Slog.i(TAG, "Cannot restore package " + info.packageName
+ " without the matching .apk");
}
} else {
Slog.i(TAG, "Missing signature on backed-up package "
+ info.packageName);
}
} else {
Slog.i(TAG, "Expected package " + info.packageName
+ " but restore manifest claims " + manifestPackage);
}
} else {
Slog.i(TAG, "Unknown restore manifest version " + version
+ " for package " + info.packageName);
}
} catch (NumberFormatException e) {
Slog.w(TAG, "Corrupt restore manifest for package " + info.packageName);
}
return policy;
}
// Builds a line from a byte buffer starting at 'offset', and returns
// the index of the next unconsumed data in the buffer.
int extractLine(byte[] buffer, int offset, String[] outStr) throws IOException {
final int end = buffer.length;
if (offset >= end) throw new IOException("Incomplete data");
int pos;
for (pos = offset; pos < end; pos++) {
byte c = buffer[pos];
// at LF we declare end of line, and return the next char as the
// starting point for the next time through
if (c == '\n') {
break;
}
}
outStr[0] = new String(buffer, offset, pos - offset);
pos++; // may be pointing an extra byte past the end but that's okay
return pos;
}
void dumpFileMetadata(FileMetadata info) {
if (DEBUG) {
StringBuilder b = new StringBuilder(128);
// mode string
Make full backup API available to apps New methods for full backup/restore have been added to BackupAgent (still hidden): onFullBackup() and onRestoreFile(). The former is the entry point for a full app backup to adb/socket/etc: the app then writes all of its files, entire, to the output. During restore, the latter new callback is invoked, once for each file being restored. The full backup/restore interface does not use the previously-defined BackupDataInput / BackupDataOutput classes, because those classes provide an API designed for incremental key/value data structuring. Instead, a new FullBackupDataOutput class has been introduced, through which we restrict apps' abilities to write data during a full backup operation to *only* writing entire on-disk files via a new BackupAgent method called fullBackupFile(). "FullBackupAgent" exists now solely as a concrete shell class that can be instantiated in the case of apps that do not have their own BackupAgent implementations. Along with the API change, responsibility for backing up the .apk file and OBB container has been moved into the framework rather than have the application side of the transaction do it. Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
2011-06-24 14:58:49 -07:00
b.append((info.type == BackupAgent.TYPE_DIRECTORY) ? 'd' : '-');
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
b.append(((info.mode & 0400) != 0) ? 'r' : '-');
b.append(((info.mode & 0200) != 0) ? 'w' : '-');
b.append(((info.mode & 0100) != 0) ? 'x' : '-');
b.append(((info.mode & 0040) != 0) ? 'r' : '-');
b.append(((info.mode & 0020) != 0) ? 'w' : '-');
b.append(((info.mode & 0010) != 0) ? 'x' : '-');
b.append(((info.mode & 0004) != 0) ? 'r' : '-');
b.append(((info.mode & 0002) != 0) ? 'w' : '-');
b.append(((info.mode & 0001) != 0) ? 'x' : '-');
b.append(String.format(" %9d ", info.size));
Date stamp = new Date(info.mtime);
b.append(new SimpleDateFormat("MMM dd kk:mm:ss ").format(stamp));
b.append(info.packageName);
b.append(" :: ");
b.append(info.domain);
b.append(" :: ");
b.append(info.path);
Slog.i(TAG, b.toString());
}
}
// Consume a tar file header block [sequence] and accumulate the relevant metadata
FileMetadata readTarHeaders(InputStream instream) throws IOException {
byte[] block = new byte[512];
FileMetadata info = null;
boolean gotHeader = readTarHeader(instream, block);
if (gotHeader) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
try {
// okay, presume we're okay, and extract the various metadata
info = new FileMetadata();
info.size = extractRadix(block, 124, 12, 8);
info.mtime = extractRadix(block, 136, 12, 8);
info.mode = extractRadix(block, 100, 8, 8);
info.path = extractString(block, 345, 155); // prefix
String path = extractString(block, 0, 100);
if (path.length() > 0) {
if (info.path.length() > 0) info.path += '/';
info.path += path;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
// tar link indicator field: 1 byte at offset 156 in the header.
int typeChar = block[156];
if (typeChar == 'x') {
// pax extended header, so we need to read that
gotHeader = readPaxExtendedHeader(instream, info);
if (gotHeader) {
// and after a pax extended header comes another real header -- read
// that to find the real file type
gotHeader = readTarHeader(instream, block);
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
if (!gotHeader) throw new IOException("Bad or missing pax header");
typeChar = block[156];
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
switch (typeChar) {
case '0': info.type = BackupAgent.TYPE_FILE; break;
case '5': {
info.type = BackupAgent.TYPE_DIRECTORY;
if (info.size != 0) {
Slog.w(TAG, "Directory entry with nonzero size in header");
info.size = 0;
}
break;
}
case 0: {
// presume EOF
if (DEBUG) Slog.w(TAG, "Saw type=0 in tar header block, info=" + info);
return null;
}
default: {
Slog.e(TAG, "Unknown tar entity type: " + typeChar);
throw new IOException("Unknown entity type " + typeChar);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
}
// Parse out the path
//
// first: apps/shared/unrecognized
if (FullBackup.SHARED_PREFIX.regionMatches(0,
info.path, 0, FullBackup.SHARED_PREFIX.length())) {
// File in shared storage. !!! TODO: implement this.
info.path = info.path.substring(FullBackup.SHARED_PREFIX.length());
info.packageName = "com.android.sharedstoragebackup";
info.domain = FullBackup.SHARED_STORAGE_TOKEN;
if (DEBUG) Slog.i(TAG, "File in shared storage: " + info.path);
} else if (FullBackup.APPS_PREFIX.regionMatches(0,
info.path, 0, FullBackup.APPS_PREFIX.length())) {
// App content! Parse out the package name and domain
// strip the apps/ prefix
info.path = info.path.substring(FullBackup.APPS_PREFIX.length());
// extract the package name
int slash = info.path.indexOf('/');
if (slash < 0) throw new IOException("Illegal semantic path in " + info.path);
info.packageName = info.path.substring(0, slash);
info.path = info.path.substring(slash+1);
// if it's a manifest we're done, otherwise parse out the domains
if (!info.path.equals(BACKUP_MANIFEST_FILENAME)) {
slash = info.path.indexOf('/');
if (slash < 0) throw new IOException("Illegal semantic path in non-manifest " + info.path);
info.domain = info.path.substring(0, slash);
// validate that it's one of the domains we understand
if (!info.domain.equals(FullBackup.APK_TREE_TOKEN)
&& !info.domain.equals(FullBackup.DATA_TREE_TOKEN)
&& !info.domain.equals(FullBackup.DATABASE_TREE_TOKEN)
&& !info.domain.equals(FullBackup.ROOT_TREE_TOKEN)
&& !info.domain.equals(FullBackup.SHAREDPREFS_TREE_TOKEN)
&& !info.domain.equals(FullBackup.OBB_TREE_TOKEN)
&& !info.domain.equals(FullBackup.CACHE_TREE_TOKEN)) {
throw new IOException("Unrecognized domain " + info.domain);
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
info.path = info.path.substring(slash + 1);
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
} catch (IOException e) {
if (DEBUG) {
Slog.e(TAG, "Parse error in header. Hexdump:");
HEXLOG(block);
}
throw e;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
}
return info;
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
private void HEXLOG(byte[] block) {
int offset = 0;
int todo = block.length;
StringBuilder buf = new StringBuilder(64);
while (todo > 0) {
buf.append(String.format("%04x ", offset));
int numThisLine = (todo > 16) ? 16 : todo;
for (int i = 0; i < numThisLine; i++) {
buf.append(String.format("%02x ", block[offset+i]));
}
Slog.i("hexdump", buf.toString());
buf.setLength(0);
todo -= numThisLine;
offset += numThisLine;
}
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
boolean readTarHeader(InputStream instream, byte[] block) throws IOException {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
int totalRead = 0;
while (totalRead < 512) {
int nRead = instream.read(block, totalRead, 512 - totalRead);
if (nRead >= 0) {
mBytes += nRead;
totalRead += nRead;
} else {
if (totalRead == 0) {
// EOF instead of a new header; we're done
break;
}
throw new IOException("Unable to read full block header, t=" + totalRead);
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
return (totalRead == 512);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
// overwrites 'info' fields based on the pax extended header
boolean readPaxExtendedHeader(InputStream instream, FileMetadata info)
throws IOException {
// We should never see a pax extended header larger than this
if (info.size > 32*1024) {
Slog.w(TAG, "Suspiciously large pax header size " + info.size
+ " - aborting");
throw new IOException("Sanity failure: pax header size " + info.size);
}
// read whole blocks, not just the content size
int numBlocks = (int)((info.size + 511) >> 9);
byte[] data = new byte[numBlocks * 512];
int nRead = instream.read(data);
Fix handling of directory entries Don't emit tar blocks for directories with an invalid nonzero size. Also, if such an entry is encountered during restore, don't actually attempt to treat it as valid and thus skip over the next actual tar entry. This patch also adds tracking of the data actually consumed during restore, and reports a total at the end of stream. Change-Id: I625173f76df3c007e899209101ff2b587841f184
2011-06-08 20:09:31 -07:00
if (nRead >= 0) mBytes += nRead;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
if (nRead != data.length) {
return false;
}
final int contentSize = (int) info.size;
int offset = 0;
do {
// extract the line at 'offset'
int eol = offset+1;
while (eol < contentSize && data[eol] != ' ') eol++;
if (eol >= contentSize) {
// error: we just hit EOD looking for the end of the size field
throw new IOException("Invalid pax data");
}
// eol points to the space between the count and the key
int linelen = (int) extractRadix(data, offset, eol - offset, 10);
int key = eol + 1; // start of key=value
eol = offset + linelen - 1; // trailing LF
int value;
for (value = key+1; data[value] != '=' && value <= eol; value++);
if (value > eol) {
throw new IOException("Invalid pax declaration");
}
// pax requires that key/value strings be in UTF-8
String keyStr = new String(data, key, value-key, "UTF-8");
// -1 to strip the trailing LF
String valStr = new String(data, value+1, eol-value-1, "UTF-8");
if ("path".equals(keyStr)) {
info.path = valStr;
} else if ("size".equals(keyStr)) {
info.size = Long.parseLong(valStr);
} else {
if (DEBUG) Slog.i(TAG, "Unhandled pax key: " + key);
}
offset += linelen;
} while (offset < contentSize);
return true;
}
long extractRadix(byte[] data, int offset, int maxChars, int radix)
throws IOException {
long value = 0;
final int end = offset + maxChars;
for (int i = offset; i < end; i++) {
final byte b = data[i];
Fix embedded spaces in tar stream EVEN HARDER Change-Id: I97ac586ff3541a05d73e1e53f680517c15e6c662
2011-06-07 13:17:17 -07:00
// Numeric fields in tar can terminate with either NUL or SPC
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
if (b == 0 || b == ' ') break;
if (b < '0' || b > ('0' + radix - 1)) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
throw new IOException("Invalid number in header: '" + (char)b + "' for radix " + radix);
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
value = radix * value + (b - '0');
}
return value;
}
String extractString(byte[] data, int offset, int maxChars) throws IOException {
final int end = offset + maxChars;
int eos = offset;
Fix embedded spaces in tar stream EVEN HARDER Change-Id: I97ac586ff3541a05d73e1e53f680517c15e6c662
2011-06-07 13:17:17 -07:00
// tar string fields terminate early with a NUL
while (eos < end && data[eos] != 0) eos++;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
return new String(data, offset, eos-offset, "US-ASCII");
}
void sendStartRestore() {
if (mObserver != null) {
try {
mObserver.onStartRestore();
} catch (RemoteException e) {
Slog.w(TAG, "full restore observer went away: startRestore");
mObserver = null;
}
}
}
void sendOnRestorePackage(String name) {
if (mObserver != null) {
try {
// TODO: use a more user-friendly name string
mObserver.onRestorePackage(name);
} catch (RemoteException e) {
Slog.w(TAG, "full restore observer went away: restorePackage");
mObserver = null;
}
}
}
void sendEndRestore() {
if (mObserver != null) {
try {
mObserver.onEndRestore();
} catch (RemoteException e) {
Slog.w(TAG, "full restore observer went away: endRestore");
mObserver = null;
}
}
}
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
// ----- Restore handling -----
Fix #2176803 - restores from userdebug to user builds not working The underlying issue is that ordinarily, the restore mechanism checks the signature block of the package which uploaded the restore data against the signature of the package on-device that will be handling the restore. This is to ensure that the restore goes to the "same" application as the one that uploaded it. However, applications bundled on the system partition as part of the device build are signed not with a permanent, app-identifying signature, but rather with the device's signature block, which is different for each kind of device and potentially between kinds of build for the same device. That renders the stored backup data unusable when changing devices / builds / etc. This change works around the problem by explicitly privileging applications that reside on the system partition: they have been built into the device, and so are trusted to be able to handle data that is marked as coming from its package name. Change-Id: I561011bce2b54cff3e695e82e7544b126b6ac31e
2009-11-04 11:49:08 -08:00
private boolean signaturesMatch(Signature[] storedSigs, PackageInfo target) {
// If the target resides on the system partition, we allow it to restore
// data from the like-named package in a restore set even if the signatures
// do not match. (Unlike general applications, those flashed to the system
// partition will be signed with the device's platform certificate, so on
// different phones the same system app will have different signatures.)
if ((target.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "System app " + target.packageName + " - skipping sig check");
Fix #2176803 - restores from userdebug to user builds not working The underlying issue is that ordinarily, the restore mechanism checks the signature block of the package which uploaded the restore data against the signature of the package on-device that will be handling the restore. This is to ensure that the restore goes to the "same" application as the one that uploaded it. However, applications bundled on the system partition as part of the device build are signed not with a permanent, app-identifying signature, but rather with the device's signature block, which is different for each kind of device and potentially between kinds of build for the same device. That renders the stored backup data unusable when changing devices / builds / etc. This change works around the problem by explicitly privileging applications that reside on the system partition: they have been built into the device, and so are trusted to be able to handle data that is marked as coming from its package name. Change-Id: I561011bce2b54cff3e695e82e7544b126b6ac31e
2009-11-04 11:49:08 -08:00
return true;
}
Make signature checks on restore work with unsigned apps
2009-06-18 19:41:36 -07:00
// Allow unsigned apps, but not signed on one device and unsigned on the other
// !!! TODO: is this the right policy?
Fix #2176803 - restores from userdebug to user builds not working The underlying issue is that ordinarily, the restore mechanism checks the signature block of the package which uploaded the restore data against the signature of the package on-device that will be handling the restore. This is to ensure that the restore goes to the "same" application as the one that uploaded it. However, applications bundled on the system partition as part of the device build are signed not with a permanent, app-identifying signature, but rather with the device's signature block, which is different for each kind of device and potentially between kinds of build for the same device. That renders the stored backup data unusable when changing devices / builds / etc. This change works around the problem by explicitly privileging applications that reside on the system partition: they have been built into the device, and so are trusted to be able to handle data that is marked as coming from its package name. Change-Id: I561011bce2b54cff3e695e82e7544b126b6ac31e
2009-11-04 11:49:08 -08:00
Signature[] deviceSigs = target.signatures;
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, "signaturesMatch(): stored=" + storedSigs
Add app version to the backup metadata We now record the version number of the app (drawn from its manifest versionCode attribute) along with its signatures. At restore time, we compare the version associated with the restore set with the version present on the device. If the restore set is from a newer version of the app than is present on device, we do not perform the restore operation. Also fix the pending-backup iteration in 'dumpsys backup'.
2009-06-19 14:14:22 -07:00
+ " device=" + deviceSigs);
Make signature checks on restore work with unsigned apps
2009-06-18 19:41:36 -07:00
if ((storedSigs == null || storedSigs.length == 0)
&& (deviceSigs == null || deviceSigs.length == 0)) {
return true;
}
if (storedSigs == null || deviceSigs == null) {
return false;
}
Use signatures on restore On restore now, the backup manager gets the signature blocks corresponding to the restore set from the transport. It then validates those signatures against the on-device app signatures, and refuses to restore data to an app whose on-device sig block does not match the backup image's. Also actually implement 'bmgr transport N' so that we can select the local transport easily during runtime.
2009-06-18 18:35:32 -07:00
// !!! TODO: this demands that every stored signature match one
// that is present on device, and does not demand the converse.
// Is this this right policy?
int nStored = storedSigs.length;
int nDevice = deviceSigs.length;
for (int i=0; i < nStored; i++) {
boolean match = false;
for (int j=0; j < nDevice; j++) {
if (storedSigs[i].equals(deviceSigs[j])) {
match = true;
break;
}
}
if (!match) {
return false;
}
}
return true;
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
class PerformRestoreTask implements Runnable {
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
private IBackupTransport mTransport;
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
private IRestoreObserver mObserver;
Use a long for restore token
2009-06-26 13:20:02 -07:00
private long mToken;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
private PackageInfo mTargetPackage;
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
private File mStateDir;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
private int mPmToken;
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
private boolean mNeedFullBackup;
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
private HashSet<String> mFilterSet;
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
Pass the originating app's versionCode along with a restore set This change amends the doRestore() / onRestore() interface to backup agents to provide the integer android:versionCode of the app that stored the backup set. This should help agents figure out how to handle whatever historical data set they're handed at restore time.
2009-06-22 16:44:51 -07:00
class RestoreRequest {
public PackageInfo app;
public int storedAppVersion;
RestoreRequest(PackageInfo _app, int _version) {
app = _app;
storedAppVersion = _version;
}
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
PerformRestoreTask(IBackupTransport transport, IRestoreObserver observer,
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
long restoreSetToken, PackageInfo targetPackage, int pmToken,
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
boolean needFullBackup, String[] filterSet) {
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
mTransport = transport;
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
mObserver = observer;
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
mToken = restoreSetToken;
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
mTargetPackage = targetPackage;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
mPmToken = pmToken;
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
mNeedFullBackup = needFullBackup;
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
if (filterSet != null) {
mFilterSet = new HashSet<String>();
for (String pkg : filterSet) {
mFilterSet.add(pkg);
}
} else {
mFilterSet = null;
}
Keep track of backup state independently for each transport Backup transports now provide the Backup Manager with a suggested name with which it can disambiguate any transport-specific bookkeeping that it needs to maintain. The Manager keeps separate application backup 'state blobs' for each transport now, preventing things from getting out of step if the device is switched among multiple transports. Also, the metadata backup agent is always invoked now on each backup pass. This is cheap when there is nothing to do, but also strongly ensures that we never wind up in a situation where a given transport destination has not been given all of the metadata necessary for the backup set.
2009-06-25 16:03:14 -07:00
try {
mStateDir = new File(mBaseStateDir, transport.transportDirName());
} catch (RemoteException e) {
// can't happen; the transport is local
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
public void run() {
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
long startRealtime = SystemClock.elapsedRealtime();
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Beginning restore process mTransport=" + mTransport
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
+ " mObserver=" + mObserver + " mToken=" + Long.toHexString(mToken)
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
+ " mTargetPackage=" + mTargetPackage + " mFilterSet=" + mFilterSet
+ " mPmToken=" + mPmToken);
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
PackageManagerBackupAgent pmAgent = null;
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
int error = -1; // assume error
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
// build the set of apps to restore
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
try {
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
// TODO: Log this before getAvailableRestoreSets, somehow
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_START, mTransport.transportDirName(), mToken);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
// Get the list of all packages which have backup enabled.
// (Include the Package Manager metadata pseudo-package first.)
ArrayList<PackageInfo> restorePackages = new ArrayList<PackageInfo>();
PackageInfo omPackage = new PackageInfo();
omPackage.packageName = PACKAGE_MANAGER_SENTINEL;
restorePackages.add(omPackage);
List<PackageInfo> agentPackages = allAgentPackages();
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
if (mTargetPackage == null) {
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
// if there's a filter set, strip out anything that isn't
// present before proceeding
if (mFilterSet != null) {
for (int i = agentPackages.size() - 1; i >= 0; i--) {
final PackageInfo pkg = agentPackages.get(i);
if (! mFilterSet.contains(pkg.packageName)) {
agentPackages.remove(i);
}
}
if (DEBUG) {
Slog.i(TAG, "Post-filter package set for restore:");
for (PackageInfo p : agentPackages) {
Slog.i(TAG, " " + p);
}
}
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
restorePackages.addAll(agentPackages);
} else {
// Just one package to attempt restore of
restorePackages.add(mTargetPackage);
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
// let the observer know that we're running
if (mObserver != null) {
try {
// !!! TODO: get an actual count from the transport after
// its startRestore() runs?
mObserver.restoreStarting(restorePackages.size());
} catch (RemoteException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "Restore observer died at restoreStarting");
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
mObserver = null;
}
}
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (mTransport.startRestore(mToken, restorePackages.toArray(new PackageInfo[0])) !=
BackupConstants.TRANSPORT_OK) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error starting restore operation");
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
return;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
String packageName = mTransport.nextRestorePackage();
if (packageName == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error getting first restore package");
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
return;
} else if (packageName.equals("")) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.i(TAG, "No restore data available");
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
int millis = (int) (SystemClock.elapsedRealtime() - startRealtime);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_SUCCESS, 0, millis);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
return;
} else if (!packageName.equals(PACKAGE_MANAGER_SENTINEL)) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Expected restore data for \"" + PACKAGE_MANAGER_SENTINEL
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
+ "\", found only \"" + packageName + "\"");
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, PACKAGE_MANAGER_SENTINEL,
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
"Package manager data missing");
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
return;
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
// Pull the Package Manager metadata from the restore set first
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
pmAgent = new PackageManagerBackupAgent(
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
mPackageManager, agentPackages);
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
processOneRestore(omPackage, 0, IBackupAgent.Stub.asInterface(pmAgent.onBind()),
mNeedFullBackup);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
If we can't get the restore set's metadata, don't continue Without the metadata we can't verify the version number or the signatures of the apps whose data we'd be trying to restore against the apps present on device. This is not acceptable; we need to refuse to give data to an unauthenticated app.
2009-07-02 14:28:47 -07:00
// Verify that the backup set includes metadata. If not, we can't do
// signature/version verification etc, so we simply do not proceed with
// the restore operation.
Fix the metadata-available test during restore
2009-07-07 14:23:07 -07:00
if (!pmAgent.hasMetadata()) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "No restore metadata available, so not restoring settings");
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, PACKAGE_MANAGER_SENTINEL,
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
"Package manager restore metadata missing");
If we can't get the restore set's metadata, don't continue Without the metadata we can't verify the version number or the signatures of the apps whose data we'd be trying to restore against the apps present on device. This is not acceptable; we need to refuse to give data to an unauthenticated app.
2009-07-02 14:28:47 -07:00
return;
}
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
int count = 0;
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
for (;;) {
packageName = mTransport.nextRestorePackage();
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
if (packageName == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error getting next restore package");
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
return;
} else if (packageName.equals("")) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "No next package, finishing restore");
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
break;
}
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
if (mObserver != null) {
try {
API CHANGE: Backup/restore API changes requested by the API Council * @hide the android.app.backup.RestoreSession class and functionality * Provide a public method on android.app.backup.BackupManager that apps can use to request a restore pass of their last-known-good dataset. The new method is called requestRestore(). * Provide the name of the package being restored, not just its ordinal, in the RestoreObserver's onUpdate() callback. Part of bug #2545514 Change-Id: I9689bf8d6e2b808b4ee412424a36a835be0a5ca8
2010-03-25 16:06:43 -07:00
mObserver.onUpdate(count, packageName);
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
} catch (RemoteException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "Restore observer died in onUpdate");
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
mObserver = null;
}
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
Metadata metaInfo = pmAgent.getRestoredMetadata(packageName);
if (metaInfo == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Missing metadata for " + packageName);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
"Package metadata missing");
continue;
}
PackageInfo packageInfo;
try {
int flags = PackageManager.GET_SIGNATURES;
packageInfo = mPackageManager.getPackageInfo(packageName, flags);
} catch (NameNotFoundException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Invalid package restoring data", e);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
"Package missing on device");
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
continue;
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
if (metaInfo.versionCode > packageInfo.versionCode) {
Add 'restoreAnyVersion' attr for apps that want to restore "future" data If a backup-participating app sets android:restoreAnyVersion="true" in its manifest <application> tag, then its agent will be invoked for restore even if the available dataset was created by a later version of the app than is currently installed on the device. This will not typically be a problem for third party applications, since for them the installation and initial data restore are tightly coupled, but it can cause serious problems for applications which are both preinstalled on the system partition and overridden by later updates. The primary difficulty that this new attribute addresses is this: 1. User buys a Nexus One, Market self-updates, and the user installs some apps. At this point the backup data on the server may indicate that the version of Market which originated its bookkeeping is newer than the stock N1 Market app. 2. User loses their phone, and buys a replacement N1. At setup time, Market has not yet had a chance to self-update, so when the restore comes in, it's tagged as being from "the future" and so the restore is refused. No apps get reinstalled. Bug: 2442127 Change-Id: I076a9553dc613e5c3189350e778315718ed1ed2b
2010-02-24 16:06:18 -08:00
// Data is from a "newer" version of the app than we have currently
// installed. If the app has not declared that it is prepared to
// handle this case, we do not attempt the restore.
if ((packageInfo.applicationInfo.flags
& ApplicationInfo.FLAG_RESTORE_ANY_VERSION) == 0) {
String message = "Version " + metaInfo.versionCode
+ " > installed version " + packageInfo.versionCode;
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Package " + packageName + ": " + message);
Add 'restoreAnyVersion' attr for apps that want to restore "future" data If a backup-participating app sets android:restoreAnyVersion="true" in its manifest <application> tag, then its agent will be invoked for restore even if the available dataset was created by a later version of the app than is currently installed on the device. This will not typically be a problem for third party applications, since for them the installation and initial data restore are tightly coupled, but it can cause serious problems for applications which are both preinstalled on the system partition and overridden by later updates. The primary difficulty that this new attribute addresses is this: 1. User buys a Nexus One, Market self-updates, and the user installs some apps. At this point the backup data on the server may indicate that the version of Market which originated its bookkeeping is newer than the stock N1 Market app. 2. User loses their phone, and buys a replacement N1. At setup time, Market has not yet had a chance to self-update, so when the restore comes in, it's tagged as being from "the future" and so the restore is refused. No apps get reinstalled. Bug: 2442127 Change-Id: I076a9553dc613e5c3189350e778315718ed1ed2b
2010-02-24 16:06:18 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
packageName, message);
continue;
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Version " + metaInfo.versionCode
Add 'restoreAnyVersion' attr for apps that want to restore "future" data If a backup-participating app sets android:restoreAnyVersion="true" in its manifest <application> tag, then its agent will be invoked for restore even if the available dataset was created by a later version of the app than is currently installed on the device. This will not typically be a problem for third party applications, since for them the installation and initial data restore are tightly coupled, but it can cause serious problems for applications which are both preinstalled on the system partition and overridden by later updates. The primary difficulty that this new attribute addresses is this: 1. User buys a Nexus One, Market self-updates, and the user installs some apps. At this point the backup data on the server may indicate that the version of Market which originated its bookkeeping is newer than the stock N1 Market app. 2. User loses their phone, and buys a replacement N1. At setup time, Market has not yet had a chance to self-update, so when the restore comes in, it's tagged as being from "the future" and so the restore is refused. No apps get reinstalled. Bug: 2442127 Change-Id: I076a9553dc613e5c3189350e778315718ed1ed2b
2010-02-24 16:06:18 -08:00
+ " > installed " + packageInfo.versionCode
+ " but restoreAnyVersion");
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Fix #2176803 - restores from userdebug to user builds not working The underlying issue is that ordinarily, the restore mechanism checks the signature block of the package which uploaded the restore data against the signature of the package on-device that will be handling the restore. This is to ensure that the restore goes to the "same" application as the one that uploaded it. However, applications bundled on the system partition as part of the device build are signed not with a permanent, app-identifying signature, but rather with the device's signature block, which is different for each kind of device and potentially between kinds of build for the same device. That renders the stored backup data unusable when changing devices / builds / etc. This change works around the problem by explicitly privileging applications that reside on the system partition: they have been built into the device, and so are trusted to be able to handle data that is marked as coming from its package name. Change-Id: I561011bce2b54cff3e695e82e7544b126b6ac31e
2009-11-04 11:49:08 -08:00
if (!signaturesMatch(metaInfo.signatures, packageInfo)) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Signature mismatch restoring " + packageName);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
"Signature mismatch");
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
continue;
}
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Package " + packageName
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
+ " restore version [" + metaInfo.versionCode
+ "] is compatible with installed version ["
+ packageInfo.versionCode + "]");
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
API CHANGE: expose the backup-related ApplicationInfo flag masks Fixes bug #2507582 by doing the following: - Un-@hide the FLAG_ALLOW_BACKUP, FLAG_KILL_AFTER_RESTORE, and FLAG_RESTORE_ANY_VERSION mask constants in ApplicationInfo. These correspond, respectively, to the <application> manifest tag's android:allowBackup, android:killAfterRestore, and android:restoreAnyVersion attributes. - Remove the android:restoreNeedsApplication attribute and the corresponding FLAG_RESTORE_NEEDS_APPLICATION constant [which was still marked @hide]. We now always use the application's own Application class when performing a normal restore. In the future when we support an externalized full-filesystem backup/restore operation, we will use an OS-defined agent class with a base-class Application instance, but this will not happen until a future release. Also expands real documentation on the above ApplicationInfo constants; that work is part of bug #2465360 Change-Id: I735d07a963ae80a01343637d83bef84e4c23fdcc
2010-03-12 17:28:08 -08:00
// Then set up and bind the agent
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
IBackupAgent agent = bindToAgentSynchronous(
packageInfo.applicationInfo,
API CHANGE: expose the backup-related ApplicationInfo flag masks Fixes bug #2507582 by doing the following: - Un-@hide the FLAG_ALLOW_BACKUP, FLAG_KILL_AFTER_RESTORE, and FLAG_RESTORE_ANY_VERSION mask constants in ApplicationInfo. These correspond, respectively, to the <application> manifest tag's android:allowBackup, android:killAfterRestore, and android:restoreAnyVersion attributes. - Remove the android:restoreNeedsApplication attribute and the corresponding FLAG_RESTORE_NEEDS_APPLICATION constant [which was still marked @hide]. We now always use the application's own Application class when performing a normal restore. In the future when we support an externalized full-filesystem backup/restore operation, we will use an OS-defined agent class with a base-class Application instance, but this will not happen until a future release. Also expands real documentation on the above ApplicationInfo constants; that work is part of bug #2465360 Change-Id: I735d07a963ae80a01343637d83bef84e4c23fdcc
2010-03-12 17:28:08 -08:00
IApplicationThread.BACKUP_MODE_INCREMENTAL);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
if (agent == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Can't find backup agent for " + packageName);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
"Restore agent missing");
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
continue;
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
}
Expand apps' control over the settings restore process Applications can now specify two more aspects of the restore process: whether they need to run with their own custom Application subclass rather than being launched in the usual restricted mode during restore, and whether it's okay for the backup manager to kill the app process once restore has completed. The new manifest attributes for these are, respectively, android:restoreNeedsApplication and android:killAfterRestore. If unspecified in the manifest, restoreNeedsApplication is false, and killAfterRestore is true. In order to support kill-after-restore cleanly, this change also adds a new system-process-only interface to the Activity Manager, which will schedule a "commit suicide" event on the target app's main thread looper. The framework backup agents have been given the appropriate new backup attributes as well.
2009-09-01 20:32:49 -07:00
// And then finally run the restore on this agent
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
try {
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
processOneRestore(packageInfo, metaInfo.versionCode, agent,
mNeedFullBackup);
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
++count;
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
} finally {
Expand apps' control over the settings restore process Applications can now specify two more aspects of the restore process: whether they need to run with their own custom Application subclass rather than being launched in the usual restricted mode during restore, and whether it's okay for the backup manager to kill the app process once restore has completed. The new manifest attributes for these are, respectively, android:restoreNeedsApplication and android:killAfterRestore. If unspecified in the manifest, restoreNeedsApplication is false, and killAfterRestore is true. In order to support kill-after-restore cleanly, this change also adds a new system-process-only interface to the Activity Manager, which will schedule a "commit suicide" event on the target app's main thread looper. The framework backup agents have been given the appropriate new backup attributes as well.
2009-09-01 20:32:49 -07:00
// unbind and tidy up even on timeout or failure, just in case
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
mActivityManager.unbindBackupAgent(packageInfo.applicationInfo);
Expand apps' control over the settings restore process Applications can now specify two more aspects of the restore process: whether they need to run with their own custom Application subclass rather than being launched in the usual restricted mode during restore, and whether it's okay for the backup manager to kill the app process once restore has completed. The new manifest attributes for these are, respectively, android:restoreNeedsApplication and android:killAfterRestore. If unspecified in the manifest, restoreNeedsApplication is false, and killAfterRestore is true. In order to support kill-after-restore cleanly, this change also adds a new system-process-only interface to the Activity Manager, which will schedule a "commit suicide" event on the target app's main thread looper. The framework backup agents have been given the appropriate new backup attributes as well.
2009-09-01 20:32:49 -07:00
// The agent was probably running with a stub Application object,
// which isn't a valid run mode for the main app logic. Shut
// down the app so that next time it's launched, it gets the
Add 'restoreAnyVersion' attr for apps that want to restore "future" data If a backup-participating app sets android:restoreAnyVersion="true" in its manifest <application> tag, then its agent will be invoked for restore even if the available dataset was created by a later version of the app than is currently installed on the device. This will not typically be a problem for third party applications, since for them the installation and initial data restore are tightly coupled, but it can cause serious problems for applications which are both preinstalled on the system partition and overridden by later updates. The primary difficulty that this new attribute addresses is this: 1. User buys a Nexus One, Market self-updates, and the user installs some apps. At this point the backup data on the server may indicate that the version of Market which originated its bookkeeping is newer than the stock N1 Market app. 2. User loses their phone, and buys a replacement N1. At setup time, Market has not yet had a chance to self-update, so when the restore comes in, it's tagged as being from "the future" and so the restore is refused. No apps get reinstalled. Bug: 2442127 Change-Id: I076a9553dc613e5c3189350e778315718ed1ed2b
2010-02-24 16:06:18 -08:00
// usual full initialization. Note that this is only done for
// full-system restores: when a single app has requested a restore,
// it is explicitly not killed following that operation.
if (mTargetPackage == null && (packageInfo.applicationInfo.flags
Expand apps' control over the settings restore process Applications can now specify two more aspects of the restore process: whether they need to run with their own custom Application subclass rather than being launched in the usual restricted mode during restore, and whether it's okay for the backup manager to kill the app process once restore has completed. The new manifest attributes for these are, respectively, android:restoreNeedsApplication and android:killAfterRestore. If unspecified in the manifest, restoreNeedsApplication is false, and killAfterRestore is true. In order to support kill-after-restore cleanly, this change also adds a new system-process-only interface to the Activity Manager, which will schedule a "commit suicide" event on the target app's main thread looper. The framework backup agents have been given the appropriate new backup attributes as well.
2009-09-01 20:32:49 -07:00
& ApplicationInfo.FLAG_KILL_AFTER_RESTORE) != 0) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.d(TAG, "Restore complete, killing host process of "
Expand apps' control over the settings restore process Applications can now specify two more aspects of the restore process: whether they need to run with their own custom Application subclass rather than being launched in the usual restricted mode during restore, and whether it's okay for the backup manager to kill the app process once restore has completed. The new manifest attributes for these are, respectively, android:restoreNeedsApplication and android:killAfterRestore. If unspecified in the manifest, restoreNeedsApplication is false, and killAfterRestore is true. In order to support kill-after-restore cleanly, this change also adds a new system-process-only interface to the Activity Manager, which will schedule a "commit suicide" event on the target app's main thread looper. The framework backup agents have been given the appropriate new backup attributes as well.
2009-09-01 20:32:49 -07:00
+ packageInfo.applicationInfo.processName);
mActivityManager.killApplicationProcess(
packageInfo.applicationInfo.processName,
packageInfo.applicationInfo.uid);
}
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
}
}
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
// if we get this far, report success to the observer
error = 0;
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
int millis = (int) (SystemClock.elapsedRealtime() - startRealtime);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_SUCCESS, count, millis);
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error in restore thread", e);
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
} finally {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.d(TAG, "finishing restore mObserver=" + mObserver);
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
try {
mTransport.finishRestore();
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
} catch (RemoteException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error finishing restore", e);
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
if (mObserver != null) {
try {
mObserver.restoreFinished(error);
} catch (RemoteException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "Restore observer died at restoreFinished");
Add a new IRestoreObserver callback class to the restore process The observer is told when restore begins how many packages are being restored. It then gets an onUpdate() call telling it that the Nth package is now undergoing restore. Ultimately, its restoreFinished() callback is invoked, passing a simple success/fail error code, to let it know that the restore operation has concluded.
2009-06-25 18:03:43 -07:00
}
}
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// If this was a restoreAll operation, record that this was our
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
// ancestral dataset, as well as the set of apps that are possibly
// restoreable from the dataset
if (mTargetPackage == null && pmAgent != null) {
mAncestralPackages = pmAgent.getRestoredPackages();
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
mAncestralToken = mToken;
writeRestoreTokens();
}
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
// We must under all circumstances tell the Package Manager to
// proceed with install notifications if it's waiting for us.
if (mPmToken > 0) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "finishing PM token " + mPmToken);
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
try {
mPackageManagerBinder.finishPackageInstall(mPmToken);
} catch (RemoteException e) { /* can't happen */ }
}
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
// Furthermore we need to reset the session timeout clock
mBackupHandler.removeMessages(MSG_RESTORE_TIMEOUT);
mBackupHandler.sendEmptyMessageDelayed(MSG_RESTORE_TIMEOUT,
TIMEOUT_RESTORE_INTERVAL);
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
// done; we can finally release the wakelock
mWakelock.release();
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
Modify the IBackupTransport API to support bulk restore operations. Change the BackupManagerService and LocalTransport to support the new API.
2009-06-24 00:16:33 -07:00
// Do the guts of a restore of one application, using mTransport.getRestoreData().
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
void processOneRestore(PackageInfo app, int appVersionCode, IBackupAgent agent,
boolean needFullBackup) {
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
// !!! TODO: actually run the restore through mTransport
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
final String packageName = app.packageName;
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.d(TAG, "processOneRestore packageName=" + packageName);
Less logging in some places. More in others.
2009-07-01 21:04:03 -04:00
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// !!! TODO: get the dirs from the transport
File backupDataName = new File(mDataDir, packageName + ".restore");
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
File newStateName = new File(mStateDir, packageName + ".new");
File savedStateName = new File(mStateDir, packageName);
ParcelFileDescriptor backupData = null;
ParcelFileDescriptor newState = null;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
final int token = generateToken();
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
try {
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
// Run the transport's restore pass
backupData = ParcelFileDescriptor.open(backupDataName,
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
ParcelFileDescriptor.MODE_READ_WRITE |
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
ParcelFileDescriptor.MODE_CREATE |
ParcelFileDescriptor.MODE_TRUNCATE);
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
Make IBackupTransport.finishBackup() also return an int code, since it too can return TRANSPORT_NOT_INITIALIZED (in fact that's typically how it comes). For consistency, make other IBackupTransport methods return int instead of boolean, and handle accordingly. Make initializeDevice() its own method instead of a flag on performBackup(). This will be needed when un-checking the settings box anyway, and is conceptually unrelated to whatever happens to be the first post-initialization backup we perform. (Note that even if the init is sent separately from the backup operation, the server will remember that an init has been done and will *not* return NOT_INITIALIZED for the subsequent backup.) Fix LocalTransport accordingly (trivial changes). Handle failures more robustly in BackupManagerService -- most notably, doQueuedBackups() was ignoring the result code of processOneBackup(), so a NOT_INITIALIZED error would go past unseen (at least until the next backup pass). Keep track of error code returns more universally now. (This includes finishBackup(), of course.)
2009-09-21 17:04:05 -07:00
if (mTransport.getRestoreData(backupData) != BackupConstants.TRANSPORT_OK) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error getting restore data for " + packageName);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
return;
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
}
// Okay, we have the data. Now have the agent do the restore.
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
backupData.close();
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
backupData = ParcelFileDescriptor.open(backupDataName,
ParcelFileDescriptor.MODE_READ_ONLY);
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
newState = ParcelFileDescriptor.open(newStateName,
ParcelFileDescriptor.MODE_READ_WRITE |
ParcelFileDescriptor.MODE_CREATE |
ParcelFileDescriptor.MODE_TRUNCATE);
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// Kick off the restore, checking for hung agents
prepareOperationTimeout(token, TIMEOUT_RESTORE_INTERVAL);
agent.doRestore(backupData, appVersionCode, newState, token, mBackupManagerBinder);
boolean success = waitUntilOperationComplete(token);
if (!success) {
throw new RuntimeException("restore timeout");
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
// if everything went okay, remember the recorded state now
Fix up the first-backup-ever tracking This changes a couple of bits of the Backup Manager's logic around first-backup-ever handling. First, it uses the same "what we've ever backed up" handling as the rest of the system for purposes of instructing the backend to do a wipe when the metadata is initialized for the device, instead of looking at the presence of the @pm@ file. Secondly, for the time being we won't be using the saved state produced by agents' doRestore() logic. Until the server is migrating each restored package's data over to the new dataset, this was resulting in the client holding an agent state blob for which no data existed on the server under this device's identity but which the device thought was fully up to date.
2009-09-20 15:28:33 -07:00
//
// !!! TODO: the restored data should be migrated on the server
// side into the current dataset. In that case the new state file
// we just created would reflect the data already extant in the
// backend, so there'd be nothing more to do. Until that happens,
// however, we need to make sure that we record the data to the
// current backend dataset. (Yes, this means shipping the data over
// the wire in both directions. That's bad, but consistency comes
// first, then efficiency.) Once we introduce server-side data
// migration to the newly-restored device's dataset, we will change
// the following from a discard of the newly-written state to the
// "correct" operation of renaming into the canonical state blob.
newStateName.delete(); // TODO: remove; see above comment
//newStateName.renameTo(savedStateName); // TODO: replace with this
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
int size = (int) backupDataName.length();
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_PACKAGE, packageName, size);
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error restoring data for " + packageName, e);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName, e.toString());
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
Clean up when an attempted restore throws When a restore agent throws an exception back into the framework, assume that it may have left the app's data in an inconsistent state and clear the data for that app (again -- it was cleared just prior to the attempted restore, too).
2009-07-20 14:49:13 -07:00
// If the agent fails restore, it might have put the app's data
// into an incoherent state. For consistency we wipe its data
// again in this case before propagating the exception
clearApplicationDataSynchronous(packageName);
Don't leave restore data lying around after the operation
2009-07-24 16:37:43 -07:00
} finally {
backupDataName.delete();
clean up error recovery; log events tracking backup activity
2009-07-27 12:20:13 -07:00
try { if (backupData != null) backupData.close(); } catch (IOException e) {}
try { if (newState != null) newState.close(); } catch (IOException e) {}
backupData = newState = null;
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
synchronized (mCurrentOperations) {
mCurrentOperations.delete(token);
}
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
// If we know a priori that we'll need to perform a full post-restore backup
// pass, clear the new state file data. This means we're discarding work that
// was just done by the app's agent, but this way the agent doesn't need to
// take any special action based on global device state.
if (needFullBackup) {
newStateName.delete();
}
The rest of the basic flow for restore Also moved the processOneBackup() implementation into the Thread class that runs the backup sequence.
2009-06-10 15:49:30 -07:00
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
class PerformClearTask implements Runnable {
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
IBackupTransport mTransport;
PackageInfo mPackage;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
PerformClearTask(IBackupTransport transport, PackageInfo packageInfo) {
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
mTransport = transport;
mPackage = packageInfo;
}
public void run() {
try {
// Clear the on-device backup state to ensure a full backup next time
File stateDir = new File(mBaseStateDir, mTransport.transportDirName());
File stateFile = new File(stateDir, mPackage.packageName);
stateFile.delete();
// Tell the transport to remove all the persistent storage for the app
Turn off the last of the STOPSHIP verbose debugging Change-Id: Id93f4c9e9fb8468a554ae1e5c5c767f72903662c
2009-09-30 20:06:45 -07:00
// TODO - need to handle failures
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
mTransport.clearBackupData(mPackage);
} catch (RemoteException e) {
// can't happen; the transport is local
} finally {
try {
Turn off the last of the STOPSHIP verbose debugging Change-Id: Id93f4c9e9fb8468a554ae1e5c5c767f72903662c
2009-09-30 20:06:45 -07:00
// TODO - need to handle failures
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
mTransport.finishBackup();
} catch (RemoteException e) {
// can't happen; the transport is local
}
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
// Last but not least, release the cpu
mWakelock.release();
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
}
}
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
class PerformInitializeTask implements Runnable {
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
HashSet<String> mQueue;
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
PerformInitializeTask(HashSet<String> transportNames) {
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
mQueue = transportNames;
}
public void run() {
try {
for (String transportName : mQueue) {
IBackupTransport transport = getTransport(transportName);
if (transport == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Requested init for " + transportName + " but not found");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
continue;
}
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.i(TAG, "Initializing (wiping) backup transport storage: " + transportName);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_START, transport.transportDirName());
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
long startRealtime = SystemClock.elapsedRealtime();
int status = transport.initializeDevice();
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
if (status == BackupConstants.TRANSPORT_OK) {
status = transport.finishBackup();
}
// Okay, the wipe really happened. Clean up our local bookkeeping.
if (status == BackupConstants.TRANSPORT_OK) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.i(TAG, "Device init successful");
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
int millis = (int) (SystemClock.elapsedRealtime() - startRealtime);
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_INITIALIZE);
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
resetBackupState(new File(mBaseStateDir, transport.transportDirName()));
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_SUCCESS, 0, millis);
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
synchronized (mQueueLock) {
recordInitPendingLocked(false, transportName);
}
Better event log tracking for initializeDevice() requests -- on success, record "backup_initialize" event; on failure, record "backup_transport_failure" event (and add tags to "backup_transport_failure" events that aren't associated with a particular package -- namely "(initialize)" and "(finish)").
2009-09-29 19:12:31 -07:00
} else {
// If this didn't work, requeue this one and try again
// after a suitable interval
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Transport error in initializeDevice()");
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(initialize)");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
synchronized (mQueueLock) {
recordInitPendingLocked(true, transportName);
}
// do this via another alarm to make sure of the wakelock states
long delay = transport.requestBackupTime();
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.w(TAG, "init failed on "
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
+ transportName + " resched in " + delay);
mAlarmManager.set(AlarmManager.RTC_WAKEUP,
System.currentTimeMillis() + delay, mRunInitIntent);
}
}
} catch (RemoteException e) {
// can't happen; the transports are local
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Unexpected error performing init", e);
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
} finally {
Get rid of now-superfluous "backup or restore in progress" tracking Now that backup/restore/etc operations are queued and serialized, we no longer need to use external state tracking to prevent overlapping operations. Change-Id: I14f2a5d740cb97ae062aad55a06f49a2be5dd985
2010-02-02 15:18:58 -08:00
// Done; release the wakelock
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
mWakelock.release();
}
}
}
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
private void dataChangedImpl(String packageName) {
HashSet<ApplicationInfo> targets = dataChangedTargets(packageName);
dataChangedImpl(packageName, targets);
}
More restore plumbing, plus add suggested-backoff to transport API Adds most of the code for a background-thread restore process, structured much like the backup thread. Broke some common functionality out into a helper function for doing a synchronous wait for a requested agent to attach. Added a method to IBackupTransport whereby the transport will be asked for an opinion on whether this is a good time for a backup to happen. It will reply with the results of its policymaking around backoff intervals, time-of-day selection, etc.
2009-06-09 20:45:02 -07:00
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
private void dataChangedImpl(String packageName, HashSet<ApplicationInfo> targets) {
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
// Record that we need a backup pass for the caller. Since multiple callers
// may share a uid, we need to note all candidates within that uid and schedule
// a backup pass for each of them.
move event log tags used by system server into this package We can now locate event log tag definitions in individual packages (and java constants for the tag numbers get auto-generated), so move all the tags used by the system server into the package.
2009-12-04 10:31:43 -08:00
EventLog.writeEvent(EventLogTags.BACKUP_DATA_CHANGED, packageName);
More backup tests
2009-05-06 18:06:21 -07:00
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
if (targets == null) {
Slog.w(TAG, "dataChanged but no participant pkg='" + packageName + "'"
+ " uid=" + Binder.getCallingUid());
return;
}
synchronized (mQueueLock) {
// Note that this client has made data changes that need to be backed up
for (ApplicationInfo app : targets) {
// validate the caller-supplied package name against the known set of
// packages associated with this uid
if (app.packageName.equals(packageName)) {
// Add the caller to the set of pending backups. If there is
// one already there, then overwrite it, but no harm done.
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
BackupRequest req = new BackupRequest(app);
Don't queue multiple pending backups for the same app Repeated install/replace of an app before it ran its first backup pass would wind up enqueueing multiple backup requests, all of which would run back to back when the time came. This no longer happens. Also, if a backup request is queued for an app that is then uninstalled before that request is honored, we no longer fail in expensive and log- intensive ways; we now fail cleanly, early. Bug 3133212 Change-Id: I745f5b2f966a1c874f34a0107a438ad42fa7f005
2010-12-14 16:16:44 -08:00
if (mPendingBackups.put(app.packageName, req) == null) {
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
// Journal this request in case of crash. The put()
// operation returned null when this package was not already
// in the set; we want to avoid touching the disk redundantly.
writeToJournalLocked(packageName);
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) {
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
int numKeys = mPendingBackups.size();
Slog.d(TAG, "Now awaiting backup for " + numKeys + " participants:");
for (BackupRequest b : mPendingBackups.values()) {
Slog.d(TAG, " + " + b + " agent=" + b.appInfo.backupAgentName);
}
}
}
}
}
}
}
// Note: packageName is currently unused, but may be in the future
private HashSet<ApplicationInfo> dataChangedTargets(String packageName) {
Allow privileged callers to schedule a backup pass for any app.
2009-06-16 17:16:42 -07:00
// If the caller does not hold the BACKUP permission, it can only request a
// backup of its own data.
Move backup state to settings, change permission checks to use symbol. This changes the backup service to use the settings provider instead of system properties, correspondingly making it off by default and allowing specific devices to define the transport. Also tweaks the permission checks to use the permission symbol instead of raw strings. This requires some corresponding changes in the vendor projects.
2009-07-01 19:55:20 -07:00
if ((mContext.checkPermission(android.Manifest.permission.BACKUP, Binder.getCallingPid(),
Allow privileged callers to schedule a backup pass for any app.
2009-06-16 17:16:42 -07:00
Binder.getCallingUid())) == PackageManager.PERMISSION_DENIED) {
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
synchronized (mBackupParticipants) {
return mBackupParticipants.get(Binder.getCallingUid());
}
}
// a caller with full permission can ask to back up any participating app
// !!! TODO: allow backup of ANY app?
HashSet<ApplicationInfo> targets = new HashSet<ApplicationInfo>();
synchronized (mBackupParticipants) {
Allow privileged callers to schedule a backup pass for any app.
2009-06-16 17:16:42 -07:00
int N = mBackupParticipants.size();
for (int i = 0; i < N; i++) {
HashSet<ApplicationInfo> s = mBackupParticipants.valueAt(i);
if (s != null) {
targets.addAll(s);
}
}
}
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
return targets;
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
}
Add a Backup Manager interface to request a full backup Given a package name, the Backup Manager schedules a *full* (i.e. non- incremental) backup pass for that package. Also added the state-file handling for distinguishing to the target between the full and incremental backup requests.
2009-05-06 11:22:00 -07:00
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
private void writeToJournalLocked(String str) {
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
RandomAccessFile out = null;
try {
if (mJournal == null) mJournal = File.createTempFile("journal", null, mJournalDir);
out = new RandomAccessFile(mJournal, "rws");
out.seek(out.length());
out.writeUTF(str);
} catch (IOException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Can't write " + str + " to backup journal", e);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
mJournal = null;
} finally {
try { if (out != null) out.close(); } catch (IOException e) {}
Journal backup requests so that they won't be lost in a crash When an application requests a backup via dataChanged(), we now journal that fact on disk. The journal persists and is only removed following a successful backup pass. When the backup manager is started at boot time, it looks for any existing journal files and schedules a backup for the apps listed in them, on the expectation that the device shut down or crashed before a backup could be performed.
2009-06-12 12:55:53 -07:00
}
}
Don't block in the BackupManagerService.dataChanged() Binder call. This unnecessarily blocks callers. Bug: 2977348 Change-Id: I5267e575cdd5eb2136379f9710126b62a1bd75ad
2010-09-07 23:40:30 -07:00
// ----- IBackupManager binder interface -----
public void dataChanged(final String packageName) {
final HashSet<ApplicationInfo> targets = dataChangedTargets(packageName);
if (targets == null) {
Slog.w(TAG, "dataChanged but no participant pkg='" + packageName + "'"
+ " uid=" + Binder.getCallingUid());
return;
}
mBackupHandler.post(new Runnable() {
public void run() {
dataChangedImpl(packageName, targets);
}
});
}
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
// Clear the given package's backup data from the current transport
public void clearBackupData(String packageName) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "clearBackupData() of " + packageName);
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
PackageInfo info;
try {
info = mPackageManager.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
} catch (NameNotFoundException e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "No such package '" + packageName + "' - not clearing backup data");
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
return;
}
// If the caller does not hold the BACKUP permission, it can only request a
// wipe of its own backed-up data.
HashSet<ApplicationInfo> apps;
Clean up the last two literal permission string usages
2009-07-02 12:14:05 -07:00
if ((mContext.checkPermission(android.Manifest.permission.BACKUP, Binder.getCallingPid(),
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
Binder.getCallingUid())) == PackageManager.PERMISSION_DENIED) {
apps = mBackupParticipants.get(Binder.getCallingUid());
} else {
// a caller with full permission can ask to back up any participating app
// !!! TODO: allow data-clear of ANY app?
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Privileged caller, allowing clear of other apps");
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
apps = new HashSet<ApplicationInfo>();
int N = mBackupParticipants.size();
for (int i = 0; i < N; i++) {
HashSet<ApplicationInfo> s = mBackupParticipants.valueAt(i);
if (s != null) {
apps.addAll(s);
}
}
}
// now find the given package in the set of candidate apps
for (ApplicationInfo app : apps) {
if (app.packageName.equals(packageName)) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Found the app - running clear process");
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
// found it; fire off the clear request
synchronized (mQueueLock) {
Correct the backup manager's identity around wakelock use
2009-08-05 18:21:40 -07:00
long oldId = Binder.clearCallingIdentity();
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mWakelock.acquire();
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
Message msg = mBackupHandler.obtainMessage(MSG_RUN_CLEAR,
new ClearParams(getTransport(mCurrentTransport), info));
mBackupHandler.sendMessage(msg);
Correct the backup manager's identity around wakelock use
2009-08-05 18:21:40 -07:00
Binder.restoreCallingIdentity(oldId);
Add a "clear backed-up data" method to the backup mechanism It's now possible to ask that the backup manager wipe the saved data for a given application from the backing store. LocalTransport implements this now but the Google backend does not yet. When the data is wiped, the on-device backup state is also wiped to ensure that the next backup pushes all necessary data. Bmgr has not yet been modified to actually call into this method, but it will be soon.
2009-07-02 11:17:03 -07:00
}
break;
}
}
}
Sketch out a 'bmgr' command line tool Not finished, but eventually will allow adb shell access to the Backup Manager for testing purposes etc.
2009-06-15 18:07:25 -07:00
// Run a backup pass immediately for any applications that have declared
// that they have pending updates.
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
public void backupNow() {
Need to be able to call the backup manager from the system process.
2009-07-23 18:24:08 -04:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "backupNow");
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "Scheduling immediate backup pass");
Add a Backup Manager interface to request a full backup Given a package name, the Backup Manager schedules a *full* (i.e. non- incremental) backup pass for that package. Also added the state-file handling for distinguishing to the target between the full and incremental backup requests.
2009-05-06 11:22:00 -07:00
synchronized (mQueueLock) {
Disallow concurrent backups; consult transport requestBackupTime() * We now check for in-progress backups when asked to perform one, and don't bother firing off another one concurrently (nor do we adjust the scheduling; after all, someone asked to do a backup "now" and we're doing one, so we are in line with expectations). We also defer backup passes while a restore is in flight, and abort attempts to perform a restore during a backup pass. * When a backup attempt fails, we now ask the transport how far in the future we should put our retry. Previously we were simply not bothering to consult with the transport, so we would wind up retrying backup while network connectivity was known to be down, etc. Change-Id: Ic7758010b74e06e90c50d46b7b0dd01b17af7c90
2009-09-24 18:01:46 -07:00
// Because the alarms we are using can jitter, and we want an *immediate*
// backup pass to happen, we restart the timer beginning with "next time,"
// then manually fire the backup trigger intent ourselves.
startBackupAlarmsLocked(BACKUP_INTERVAL);
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
try {
mRunBackupIntent.send();
} catch (PendingIntent.CanceledException e) {
// should never happen
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "run-backup intent cancelled!");
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
}
Add a Backup Manager interface to request a full backup Given a package name, the Backup Manager schedules a *full* (i.e. non- incremental) backup pass for that package. Also added the state-file handling for distinguishing to the target between the full and incremental backup requests.
2009-05-06 11:22:00 -07:00
}
}
More backup tests
2009-05-06 18:06:21 -07:00
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// Run a *full* backup pass for the given package, writing the resulting data stream
// to the supplied file descriptor. This method is synchronous and does not return
// to the caller until the backup has been completed.
public void fullBackup(ParcelFileDescriptor fd, boolean includeApks, boolean includeShared,
boolean doAllApps, String[] pkgList) {
mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "fullBackup");
// Validate
if (!doAllApps) {
if (!includeShared) {
// If we're backing up shared data (sdcard or equivalent), then we can run
// without any supplied app names. Otherwise, we'd be doing no work, so
// report the error.
if (pkgList == null || pkgList.length == 0) {
throw new IllegalArgumentException(
"Backup requested but neither shared nor any apps named");
}
}
}
if (DEBUG) Slog.v(TAG, "Requesting full backup: apks=" + includeApks
+ " shared=" + includeShared + " all=" + doAllApps
+ " pkgs=" + pkgList);
long oldId = Binder.clearCallingIdentity();
try {
FullBackupParams params = new FullBackupParams(fd, includeApks, includeShared,
doAllApps, pkgList);
final int token = generateToken();
synchronized (mFullConfirmations) {
mFullConfirmations.put(token, params);
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// start up the confirmation UI
if (DEBUG) Slog.d(TAG, "Starting backup confirmation UI, token=" + token);
if (!startConfirmationUi(token, FullBackup.FULL_BACKUP_INTENT_ACTION)) {
Slog.e(TAG, "Unable to launch full backup confirmation");
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
mFullConfirmations.delete(token);
return;
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
// make sure the screen is lit for the user interaction
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
mPowerManager.userActivity(SystemClock.uptimeMillis(), false);
// start the confirmation countdown
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
startConfirmationTimeout(token, params);
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
// wait for the backup to be performed
if (DEBUG) Slog.d(TAG, "Waiting for full backup completion...");
waitForCompletion(params);
} finally {
try {
fd.close();
} catch (IOException e) {
// just eat it
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
Binder.restoreCallingIdentity(oldId);
}
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "Full backup done; returning to caller");
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
}
public void fullRestore(ParcelFileDescriptor fd) {
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "fullRestore");
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
Slog.i(TAG, "Beginning full restore...");
long oldId = Binder.clearCallingIdentity();
try {
FullRestoreParams params = new FullRestoreParams(fd);
final int token = generateToken();
synchronized (mFullConfirmations) {
mFullConfirmations.put(token, params);
}
// start up the confirmation UI
if (DEBUG) Slog.d(TAG, "Starting restore confirmation UI, token=" + token);
if (!startConfirmationUi(token, FullBackup.FULL_RESTORE_INTENT_ACTION)) {
Slog.e(TAG, "Unable to launch full restore confirmation");
mFullConfirmations.delete(token);
return;
}
// make sure the screen is lit for the user interaction
mPowerManager.userActivity(SystemClock.uptimeMillis(), false);
// start the confirmation countdown
startConfirmationTimeout(token, params);
// wait for the restore to be performed
if (DEBUG) Slog.d(TAG, "Waiting for full restore completion...");
waitForCompletion(params);
} finally {
try {
fd.close();
} catch (IOException e) {
Slog.w(TAG, "Error trying to close fd after full restore: " + e);
}
Binder.restoreCallingIdentity(oldId);
Slog.i(TAG, "Full restore completed");
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
}
}
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
boolean startConfirmationUi(int token, String action) {
try {
Intent confIntent = new Intent(action);
confIntent.setClassName("com.android.backupconfirm",
"com.android.backupconfirm.BackupRestoreConfirmation");
confIntent.putExtra(FullBackup.CONF_TOKEN_INTENT_EXTRA, token);
confIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
mContext.startActivity(confIntent);
} catch (ActivityNotFoundException e) {
return false;
}
return true;
}
void startConfirmationTimeout(int token, FullParams params) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "Posting conf timeout msg after "
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
+ TIMEOUT_FULL_CONFIRMATION + " millis");
Message msg = mBackupHandler.obtainMessage(MSG_FULL_CONFIRMATION_TIMEOUT,
token, 0, params);
mBackupHandler.sendMessageDelayed(msg, TIMEOUT_FULL_CONFIRMATION);
}
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
void waitForCompletion(FullParams params) {
synchronized (params.latch) {
while (params.latch.get() == false) {
try {
params.latch.wait();
} catch (InterruptedException e) { /* never interrupted */ }
}
}
}
void signalFullBackupRestoreCompletion(FullParams params) {
synchronized (params.latch) {
params.latch.set(true);
params.latch.notifyAll();
}
}
// Confirm that the previously-requested full backup/restore operation can proceed. This
// is used to require a user-facing disclosure about the operation.
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
@Override
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
public void acknowledgeFullBackupOrRestore(int token, boolean allow,
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
String curPassword, String encPpassword, IFullBackupRestoreObserver observer) {
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
if (DEBUG) Slog.d(TAG, "acknowledgeFullBackupOrRestore : token=" + token
+ " allow=" + allow);
// TODO: possibly require not just this signature-only permission, but even
// require that the specific designated confirmation-UI app uid is the caller?
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "acknowledgeFullBackupOrRestore");
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
long oldId = Binder.clearCallingIdentity();
try {
FullParams params;
synchronized (mFullConfirmations) {
params = mFullConfirmations.get(token);
if (params != null) {
mBackupHandler.removeMessages(MSG_FULL_CONFIRMATION_TIMEOUT, params);
mFullConfirmations.delete(token);
if (allow) {
final int verb = params instanceof FullBackupParams
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
? MSG_RUN_FULL_BACKUP
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
: MSG_RUN_FULL_RESTORE;
Require the current backup pw in all backup/restore operations Specifically, we now also require the current password to confirm any restore operation. Bug 4901637 Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
2011-07-28 18:03:03 -07:00
params.observer = observer;
params.curPassword = curPassword;
params.encryptPassword = encPpassword;
Restore from a previous full backup's tarfile Usage: adb restore [tarfilename] Restores app data [and installs the apps if necessary from the backup file] captured in a previous invocation of 'adb backup'. The user must explicitly acknowledge the action on-device before it is allowed to proceed; this prevents any "invisible" pushes of content from the host to the device. Known issues: * The settings databases and wallpaper are saved/restored, but lots of other system state is not yet captured in the full backup. This means that for practical purposes this is usable for 3rd party apps at present but not for full-system cloning/imaging. Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
2011-05-18 16:28:19 -07:00
if (DEBUG) Slog.d(TAG, "Sending conf message with verb " + verb);
Full local backup infrastructure This is the basic infrastructure for pulling a full(*) backup of the device's data over an adb(**) connection to the local device. The basic process consists of these interacting pieces: 1. The framework's BackupManagerService, which coordinates the collection of app data and routing to the destination. 2. A new framework-provided BackupAgent implementation called FullBackupAgent, which is instantiated in the target applications' processes in turn, and knows how to emit a datastream that contains all of the app's saved data files. 3. A new shell-level program called "bu" that is used to bridge from adb to the framework's Backup Manager. 4. adb itself, which now knows how to use 'bu' to kick off a backup operation and pull the resulting data stream to the desktop host. 5. A system-provided application that verifies with the user that an attempted backup/restore operation is in fact expected and to be allowed. The full agent implementation is not used during normal operation of the delta-based app-customized remote backup process. Instead it's used during user-confirmed *full* backup of applications and all their data to a local destination, e.g. via the adb connection. The output format is 'tar'. This makes it very easy for the end user to examine the resulting dataset, e.g. for purpose of extracting files for debug purposes; as well as making it easy to contemplate adding things like a direct gzip stage to the data pipeline during backup/restore. It also makes it convenient to construct and maintain synthetic backup datasets for testing purposes. Within the tar format, certain artificial conventions are used. All files are stored within top-level directories according to their semantic origin: apps/pkgname/a/ : Application .apk file itself apps/pkgname/obb/: The application's associated .obb containers apps/pkgname/f/ : The subtree rooted at the getFilesDir() location apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent apps/pkgname/r/ : Files stored relative to the root of the app's file tree apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored. For each package, the first entry in the tar stream is a file called "_manifest", nominally rooted at apps/pkgname. This file contains some metadata about the package whose data is stored in the archive. The contents of shared storage can optionally be included in the tar stream. It is placed in the synthetic location: shared/... uid/gid are ignored; app uids are assigned at install time, and the app's data is handled from within its own execution environment, so will automatically have the app's correct uid. Forward-locked .apk files are never backed up. System-partition .apk files are not backed up unless they have been overridden by a post-factory upgrade, in which case the current .apk *is* backed up -- i.e. the .apk that matches the on-disk data. The manifest preceding each application's portion of the tar stream provides version numbers and signature blocks for version checking, as well as an indication of whether the restore logic should expect to install the .apk before extracting the data. System packages can designate their own full backup agents. This is to manage things like the settings provider which (a) cannot be shut down on the fly in order to do a clean snapshot of their file trees, and (b) manage data that is not only irrelevant but actively hostile to non-identical devices -- CDMA telephony settings would seriously mess up a GSM device if emplaced there blind, for example. When a full backup or restore is initiated from adb, the system will present a confirmation UI that the user must explicitly respond to within a short [~ 30 seconds] timeout. This is to avoid the possibility of malicious desktop-side software secretly grabbing a copy of all the user's data for nefarious purposes. (*) The backup is not strictly a full mirror. In particular, the settings database is not cloned; it is handled the same way that it is in cloud backup/restore. This is because some settings are actively destructive if cloned onto a different (or especially a different-model) device: telephony settings and AndroidID are good examples of this. (**) On the framework side it doesn't care that it's adb; it just sends the tar stream to a file descriptor. This can easily be retargeted around whatever transport we might decide to use in the future. KNOWN ISSUES: * the security UI is desperately ugly; no proper designs have yet been done for it * restore is not yet implemented * shared storage backup is not yet implemented * symlinks aren't yet handled, though some infrastructure for dealing with them has been put in place. Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
2011-04-01 14:43:32 -07:00
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(verb, params);
mBackupHandler.sendMessage(msg);
} else {
Slog.w(TAG, "User rejected full backup/restore operation");
// indicate completion without having actually transferred any data
signalFullBackupRestoreCompletion(params);
}
} else {
Slog.w(TAG, "Attempted to ack full backup/restore with invalid token");
}
}
} finally {
Binder.restoreCallingIdentity(oldId);
}
}
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
// Enable/disable the backup service
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
public void setBackupEnabled(boolean enable) {
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
"setBackupEnabled");
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.i(TAG, "Backup enabled => " + enable);
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
boolean wasEnabled = mEnabled;
synchronized (this) {
Move backup state to settings, change permission checks to use symbol. This changes the backup service to use the settings provider instead of system properties, correspondingly making it off by default and allowing specific devices to define the transport. Also tweaks the permission checks to use the permission symbol instead of raw strings. This requires some corresponding changes in the vendor projects.
2009-07-01 19:55:20 -07:00
Settings.Secure.putInt(mContext.getContentResolver(),
Settings.Secure.BACKUP_ENABLED, enable ? 1 : 0);
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
mEnabled = enable;
}
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
synchronized (mQueueLock) {
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
if (enable && !wasEnabled && mProvisioned) {
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
// if we've just been enabled, start scheduling backup passes
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
startBackupAlarmsLocked(BACKUP_INTERVAL);
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
} else if (!enable) {
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
// No longer enabled, so stop running backups
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.i(TAG, "Opting out of backup");
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
Hold a wakelock during backup/restore/clear operations We need to make sure we stay alive for the duration of a backup or (especially) restore operation. The existing Handler-based timing system was simply not properly functional, so it's been retooled to use a repeating alarm delivering a broastcast PendingIntent to our registered receiver. We acquire a partial wake lock in the broadcast receiver [i.e. while the Alarm Manager is holding one for the duration of broadcast delivery] and pass the wakelock object to the backup thread, which eventually releases it when it's finsihed operations. A similar pattern is used for the threads handling restore and clear.
2009-07-02 17:40:45 -07:00
mAlarmManager.cancel(mRunBackupIntent);
Clear the device's data from the transport when backup is disabled Turning off backup in the Settings UI constitutes an opt-out of the whole mechanism. For privacy reasons we instruct the backend to wipe all of the data belonging to this device when the user does this. If the attempt fails it is rescheduled in the future based on the transport's requestBackupTime() suggestion. If network connectivity changes prompt the transport to indicate a backup pass is appropriate "now," any pending init operation is processed before the backup schedule is resumed. The broadcasts used internally to the backup manager are now fully protected; third party apps can neither send nor receive them. (Also a minor logging change; don't log 'appropriate' EOF encountered during parsing of a backup data stream.)
2009-09-21 19:36:51 -07:00
// This also constitutes an opt-out, so we wipe any data for
// this device from the backend. We start that process with
// an alarm in order to guarantee wakelock states.
if (wasEnabled && mProvisioned) {
// NOTE: we currently flush every registered transport, not just
// the currently-active one.
HashSet<String> allTransports;
synchronized (mTransports) {
allTransports = new HashSet<String>(mTransports.keySet());
}
// build the set of transports for which we are posting an init
for (String transport : allTransports) {
recordInitPendingLocked(true, transport);
}
mAlarmManager.set(AlarmManager.RTC_WAKEUP, System.currentTimeMillis(),
mRunInitIntent);
}
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
}
}
Revamp backup scheduling policy We now schedule a periodic check of pending backups; if any apps have requested a backup since the last check, we perform all of the pending backups. The periodic backup scheduling matches the enable/disable state of the backup manager; while backups are disabled entirely there are no periodic wakeups. The period is set here to one hour. If an external caller (transport, the 'bmgr' command line tool, etc) requests an immediate backup pass, that is performed and then the periodic backup check is rescheduled using that pass as the starting point of a new interval.
2009-07-01 12:34:29 -07:00
}
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
Add auto-restore setting and Backup Manager awareness thereof This setting, like BACKUP_ENABLE, should never be set directly in the secure settings database. Instead, it should be manipulated through the new IBackupManager method setAutoRestore(boolean). Change-Id: I5c3226ca85b6148bb756d753d7f9e4ea76e878c4
2010-02-03 15:11:15 -08:00
// Enable/disable automatic restore of app data at install time
public void setAutoRestore(boolean doAutoRestore) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
"setAutoRestore");
Add auto-restore setting and Backup Manager awareness thereof This setting, like BACKUP_ENABLE, should never be set directly in the secure settings database. Instead, it should be manipulated through the new IBackupManager method setAutoRestore(boolean). Change-Id: I5c3226ca85b6148bb756d753d7f9e4ea76e878c4
2010-02-03 15:11:15 -08:00
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.i(TAG, "Auto restore => " + doAutoRestore);
Add auto-restore setting and Backup Manager awareness thereof This setting, like BACKUP_ENABLE, should never be set directly in the secure settings database. Instead, it should be manipulated through the new IBackupManager method setAutoRestore(boolean). Change-Id: I5c3226ca85b6148bb756d753d7f9e4ea76e878c4
2010-02-03 15:11:15 -08:00
synchronized (this) {
Settings.Secure.putInt(mContext.getContentResolver(),
Settings.Secure.BACKUP_AUTO_RESTORE, doAutoRestore ? 1 : 0);
mAutoRestore = doAutoRestore;
}
}
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
// Mark the backup service as having been provisioned
public void setBackupProvisioned(boolean available) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"setBackupProvisioned");
boolean wasProvisioned = mProvisioned;
synchronized (this) {
Settings.Secure.putInt(mContext.getContentResolver(),
Settings.Secure.BACKUP_PROVISIONED, available ? 1 : 0);
mProvisioned = available;
}
synchronized (mQueueLock) {
if (available && !wasProvisioned && mEnabled) {
// we're now good to go, so start the backup alarms
startBackupAlarmsLocked(FIRST_BACKUP_INTERVAL);
} else if (!available) {
// No longer enabled, so stop running backups
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Backup service no longer provisioned");
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
mAlarmManager.cancel(mRunBackupIntent);
}
}
}
private void startBackupAlarmsLocked(long delayBeforeFirstBackup) {
Use setRepeating() rather than setInexactRepeating() for backup scheduling, and add some random fuzz to the scheduling times, to make sure we aren't creating hour-aligned server load spikes. See bug 2226553 for details & Dr. No information.
2009-10-30 17:35:39 -07:00
// We used to use setInexactRepeating(), but that may be linked to
// backups running at :00 more often than not, creating load spikes.
// Schedule at an exact time for now, and also add a bit of "fuzz".
Random random = new Random();
long when = System.currentTimeMillis() + delayBeforeFirstBackup +
random.nextInt(FUZZ_MILLIS);
mAlarmManager.setRepeating(AlarmManager.RTC_WAKEUP, when,
BACKUP_INTERVAL + random.nextInt(FUZZ_MILLIS), mRunBackupIntent);
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
mNextBackupPass = when;
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
}
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
// Report whether the backup mechanism is currently enabled
public boolean isBackupEnabled() {
Need to be able to call the backup manager from the system process.
2009-07-23 18:24:08 -04:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "isBackupEnabled");
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
return mEnabled; // no need to synchronize just to read it
}
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
// Report the name of the currently active transport
public String getCurrentTransport() {
Need to be able to call the backup manager from the system process.
2009-07-23 18:24:08 -04:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
Clean up the last two literal permission string usages
2009-07-02 12:14:05 -07:00
"getCurrentTransport");
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, "... getCurrentTransport() returning " + mCurrentTransport);
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
return mCurrentTransport;
}
// Report all known, available backup transports
public String[] listAllTransports() {
Fix up permissions for 'dumpsys backup'
2009-07-06 15:44:54 -07:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "listAllTransports");
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
String[] list = null;
ArrayList<String> known = new ArrayList<String>();
for (Map.Entry<String, IBackupTransport> entry : mTransports.entrySet()) {
if (entry.getValue() != null) {
known.add(entry.getKey());
}
}
if (known.size() > 0) {
list = new String[known.size()];
known.toArray(list);
}
return list;
Sketch out a 'bmgr' command line tool Not finished, but eventually will allow adb shell access to the Backup Manager for testing purposes etc.
2009-06-15 18:07:25 -07:00
}
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
// Select which transport to use for the next backup operation. If the given
// name is not one of the available transports, no action is taken and the method
// returns null.
public String selectBackupTransport(String transport) {
Need to be able to call the backup manager from the system process.
2009-07-23 18:24:08 -04:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "selectBackupTransport");
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
synchronized (mTransports) {
String prevTransport = null;
if (mTransports.get(transport) != null) {
prevTransport = mCurrentTransport;
mCurrentTransport = transport;
Move backup state to settings, change permission checks to use symbol. This changes the backup service to use the settings provider instead of system properties, correspondingly making it off by default and allowing specific devices to define the transport. Also tweaks the permission checks to use the permission symbol instead of raw strings. This requires some corresponding changes in the vendor projects.
2009-07-01 19:55:20 -07:00
Settings.Secure.putString(mContext.getContentResolver(),
Settings.Secure.BACKUP_TRANSPORT, transport);
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.v(TAG, "selectBackupTransport() set " + mCurrentTransport
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
+ " returning " + prevTransport);
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Attempt to select unavailable transport " + transport);
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
}
return prevTransport;
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
}
Add a couple of transport-descriptive methods to IBackupManager Privileged callers can now ask the transport for a string describing its current state, and for an Intent that can be passed to startActivity() in order to bring up its exported configuration UI. These will be used in Settings in order to e.g. show the user the currently active account being used for backup, and allow the user to choose an account. The data being funnelled through IBackupManager here are the ones already exposed by the transports in their implementation of the IBackupTransport interface. Bug: 2753632 Change-Id: I2227a2b111d8d0ddf221d63020e20c1316fff55b
2010-12-08 18:40:26 -08:00
// Supply the configuration Intent for the given transport. If the name is not one
// of the available transports, or if the transport does not supply any configuration
// UI, the method returns null.
public Intent getConfigurationIntent(String transportName) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"getConfigurationIntent");
synchronized (mTransports) {
final IBackupTransport transport = mTransports.get(transportName);
if (transport != null) {
try {
final Intent intent = transport.configurationIntent();
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "getConfigurationIntent() returning config intent "
Add a couple of transport-descriptive methods to IBackupManager Privileged callers can now ask the transport for a string describing its current state, and for an Intent that can be passed to startActivity() in order to bring up its exported configuration UI. These will be used in Settings in order to e.g. show the user the currently active account being used for backup, and allow the user to choose an account. The data being funnelled through IBackupManager here are the ones already exposed by the transports in their implementation of the IBackupTransport interface. Bug: 2753632 Change-Id: I2227a2b111d8d0ddf221d63020e20c1316fff55b
2010-12-08 18:40:26 -08:00
+ intent);
return intent;
} catch (RemoteException e) {
/* fall through to return null */
}
}
}
return null;
}
// Supply the configuration summary string for the given transport. If the name is
// not one of the available transports, or if the transport does not supply any
// summary / destination string, the method can return null.
//
// This string is used VERBATIM as the summary text of the relevant Settings item!
public String getDestinationString(String transportName) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
Support full-backup encryption and global backup password If the user has supplied a backup password in Settings, that password is validated during the full backup process and is used as an encryption key for encoding the backed-up data itself. This is the fundamental mechanism whereby users can secure their data even against malicious parties getting physical unlocked access to their device. Technically the user-supplied password is not used as the encryption key for the backed-up data itself. What is actually done is that a random key is generated to use as the raw encryption key. THAT key, in turn, is encrypted with the user-supplied password (after random salting and key expansion with PBKDF2). The encrypted master key and a checksum are stored in the backup header. At restore time, the user supplies their password, which allows the system to decrypt the master key, which in turn allows the decryption of the backup data itself. The checksum is part of the archive in order to permit validation of the user-supplied password. The checksum is the result of running the user-supplied password through PBKDF2 with a randomly selected salt. At restore time, the proposed password is run through PBKDF2 with the salt described by the archive header. If the result does not match the archive's stated checksum, then the user has supplied the wrong decryption password. Also, suppress backup consideration for a few packages whose data is either nonexistent or inapplicable across devices or factory reset operations. Bug 4901637 Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
2011-07-19 16:32:49 -07:00
"getDestinationString");
Add a couple of transport-descriptive methods to IBackupManager Privileged callers can now ask the transport for a string describing its current state, and for an Intent that can be passed to startActivity() in order to bring up its exported configuration UI. These will be used in Settings in order to e.g. show the user the currently active account being used for backup, and allow the user to choose an account. The data being funnelled through IBackupManager here are the ones already exposed by the transports in their implementation of the IBackupTransport interface. Bug: 2753632 Change-Id: I2227a2b111d8d0ddf221d63020e20c1316fff55b
2010-12-08 18:40:26 -08:00
synchronized (mTransports) {
final IBackupTransport transport = mTransports.get(transportName);
if (transport != null) {
try {
final String text = transport.currentDestinationString();
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.d(TAG, "getDestinationString() returning " + text);
Add a couple of transport-descriptive methods to IBackupManager Privileged callers can now ask the transport for a string describing its current state, and for an Intent that can be passed to startActivity() in order to bring up its exported configuration UI. These will be used in Settings in order to e.g. show the user the currently active account being used for backup, and allow the user to choose an account. The data being funnelled through IBackupManager here are the ones already exposed by the transports in their implementation of the IBackupTransport interface. Bug: 2753632 Change-Id: I2227a2b111d8d0ddf221d63020e20c1316fff55b
2010-12-08 18:40:26 -08:00
return text;
} catch (RemoteException e) {
/* fall through to return null */
}
}
}
return null;
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
// Callback: a requested backup agent has been instantiated. This should only
// be called from the Activity Manager.
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
public void agentConnected(String packageName, IBinder agentBinder) {
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
synchronized(mAgentConnectLock) {
if (Binder.getCallingUid() == Process.SYSTEM_UID) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "agentConnected pkg=" + packageName + " agent=" + agentBinder);
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
IBackupAgent agent = IBackupAgent.Stub.asInterface(agentBinder);
mConnectedAgent = agent;
mConnecting = false;
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Non-system process uid=" + Binder.getCallingUid()
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
+ " claiming agent connected");
}
mAgentConnectLock.notifyAll();
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
// Callback: a backup agent has failed to come up, or has unexpectedly quit.
// If the agent failed to come up in the first place, the agentBinder argument
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
// will be null. This should only be called from the Activity Manager.
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
public void agentDisconnected(String packageName) {
// TODO: handle backup being interrupted
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
synchronized(mAgentConnectLock) {
if (Binder.getCallingUid() == Process.SYSTEM_UID) {
mConnectedAgent = null;
mConnecting = false;
} else {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Non-system process uid=" + Binder.getCallingUid()
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
+ " claiming agent disconnected");
}
mAgentConnectLock.notifyAll();
}
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
// An application being installed will need a restore pass, then the Package Manager
// will need to be told when the restore is finished.
public void restoreAtInstall(String packageName, int token) {
if (Binder.getCallingUid() != Process.SYSTEM_UID) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Non-system process uid=" + Binder.getCallingUid()
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
+ " attemping install-time restore");
return;
}
long restoreSet = getAvailableRestoreToken(packageName);
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "restoreAtInstall pkg=" + packageName
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
+ " token=" + Integer.toHexString(token));
Start respecting the auto-restore-at-install setting Change-Id: I420ff6b4ba72f87bee56f45d8906f086f7a2b114
2010-02-25 15:22:48 -08:00
if (mAutoRestore && mProvisioned && restoreSet != 0) {
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
// okay, we're going to attempt a restore of this package from this restore set.
// The eventual message back into the Package Manager to run the post-install
// steps for 'token' will be issued from the restore handling code.
// We can use a synthetic PackageInfo here because:
// 1. We know it's valid, since the Package Manager supplied the name
// 2. Only the packageName field will be used by the restore code
PackageInfo pkg = new PackageInfo();
pkg.packageName = packageName;
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
msg.obj = new RestoreParams(getTransport(mCurrentTransport), null,
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
restoreSet, pkg, token, true);
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
mBackupHandler.sendMessage(msg);
} else {
Start respecting the auto-restore-at-install setting Change-Id: I420ff6b4ba72f87bee56f45d8906f086f7a2b114
2010-02-25 15:22:48 -08:00
// Auto-restore disabled or no way to attempt a restore; just tell the Package
// Manager to proceed with the post-install handling for this package.
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "No restore set -- skipping restore");
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
try {
mPackageManagerBinder.finishPackageInstall(token);
} catch (RemoteException e) { /* can't happen */ }
}
}
Add IRestoreSession interface for the restore flow Restore is a fairly complicated, somewhat stateful process, so we introduce a new interface to encapsulate the various bits and pieces into a nicely separable component. In particular, this will make it much cleaner to open and interrogate an expensive-to-construct transport and then reuse it for the actual restore process itself.
2009-06-07 19:33:20 -07:00
// Hand off a restore session
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
public IRestoreSession beginRestoreSession(String packageName, String transport) {
if (DEBUG) Slog.v(TAG, "beginRestoreSession: pkg=" + packageName
+ " transport=" + transport);
boolean needPermission = true;
if (transport == null) {
transport = mCurrentTransport;
if (packageName != null) {
PackageInfo app = null;
try {
app = mPackageManager.getPackageInfo(packageName, 0);
} catch (NameNotFoundException nnf) {
Slog.w(TAG, "Asked to restore nonexistent pkg " + packageName);
throw new IllegalArgumentException("Package " + packageName + " not found");
}
if (app.applicationInfo.uid == Binder.getCallingUid()) {
// So: using the current active transport, and the caller has asked
// that its own package will be restored. In this narrow use case
// we do not require the caller to hold the permission.
needPermission = false;
}
}
}
if (needPermission) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"beginRestoreSession");
} else {
if (DEBUG) Slog.d(TAG, "restoring self on current transport; no permission needed");
}
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
synchronized(this) {
if (mActiveRestoreSession != null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.d(TAG, "Restore session requested but one already active");
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
return null;
}
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
mActiveRestoreSession = new ActiveRestoreSession(packageName, transport);
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
mBackupHandler.sendEmptyMessageDelayed(MSG_RESTORE_TIMEOUT, TIMEOUT_RESTORE_INTERVAL);
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
}
return mActiveRestoreSession;
Add IRestoreSession interface for the restore flow Restore is a fairly complicated, somewhat stateful process, so we introduce a new interface to encapsulate the various bits and pieces into a nicely separable component. In particular, this will make it much cleaner to open and interrogate an expensive-to-construct transport and then reuse it for the actual restore process itself.
2009-06-07 19:33:20 -07:00
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
void clearRestoreSession(ActiveRestoreSession currentSession) {
synchronized(this) {
if (currentSession != mActiveRestoreSession) {
Slog.e(TAG, "ending non-current restore session");
} else {
if (DEBUG) Slog.v(TAG, "Clearing restore session and halting timeout");
mActiveRestoreSession = null;
mBackupHandler.removeMessages(MSG_RESTORE_TIMEOUT);
}
}
}
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
// Note that a currently-active backup agent has notified us that it has
// completed the given outstanding asynchronous backup/restore operation.
public void opComplete(int token) {
synchronized (mCurrentOpLock) {
Reduce backup manager logspew ...with particular attention to boot-time logging. In particular, the following kinds of messages are now cut unless someone turns on the new MORE_DEBUG flag in their local build: 08-01 11:25:32.203 155 223 V BackupManagerService: starting timeout: token=4f52ccd1 interval=30000 08-01 11:25:32.211 155 223 V BackupManagerService: opComplete: 4f52ccd1 08-01 11:25:32.211 155 223 V BackupManagerService: operation 4f52ccd1 complete: finalState=1 08-01 11:25:32.211 155 223 V PerformBackupThread: doBackup() success and 01-01 00:00:19.710 148 162 V BackupManagerService: Adding 9 backup participants: 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af0380 android} agent=com.android.server.SystemBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41aa5068 com.android.browser} agent=com.android.browser.BrowserBackupAgent uid=10005 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4199ce28 com.android.nfc3} agent=com.android.nfc.NfcBackupAgent uid=1025 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a6e170 com.android.providers.settings} agent=com.android.providers.settings.SettingsBackupAgent uid=1000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{4198ba90 com.android.providers.userdictionary} agent=com.android.providers.userdictionary.DictionaryBackupAgent uid=10000 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41a80190 com.android.vending} agent=com.android.vending.VendingBackupAgent uid=10042 killAfterRestore=false 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41ac2980 com.google.android.calendar} agent=com.android.calendar.CalendarBackupAgent uid=10007 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41b14fb8 com.google.android.gm} agent=com.google.android.gm.persistence.GmailBackupAgent uid=10020 killAfterRestore=true 01-01 00:00:19.710 148 162 V BackupManagerService: PackageInfo{41af89b8 com.google.android.inputmethod.latin} agent=com.android.inputmethod.latin.BackupAgent uid=10028 killAfterRestore=false and 01-01 00:00:20.000 148 162 D BackupManagerService: Now awaiting backup for 1 participants: 01-01 00:00:20.000 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.000 148 162 I BackupManagerService: New app com.android.browser never backed up; scheduling 01-01 00:00:20.015 148 162 D BackupManagerService: Now awaiting backup for 2 participants: 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.015 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.015 148 162 I BackupManagerService: New app com.android.nfc3 never backed up; scheduling 01-01 00:00:20.031 148 162 D BackupManagerService: Now awaiting backup for 3 participants: 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41b15110 android}} agent=com.android.server.SystemBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41ae5cf8 com.android.browser}} agent=com.android.browser.BrowserBackupAgent 01-01 00:00:20.031 148 162 D BackupManagerService: + BackupRequest{app=ApplicationInfo{41a47d88 com.android.nfc3}} agent=com.android.nfc.NfcBackupAgent ... [N times] and various other overly-chatty messages that aren't useful for the midrange debugging needs of early testing. Bug 5104300 Change-Id: I2b2afb5ba68059cb1f4cccc07f2833e43cd6fe94
2011-08-01 19:20:14 -07:00
if (MORE_DEBUG) Slog.v(TAG, "opComplete: " + Integer.toHexString(token));
Make backup/restore asynchronous and enforce timeouts Callouts to app backup agents are now asynchronous, and timeouts are applied if they take too long, hang, etc. The initial timeouts are set to 15 seconds on backup, 60 seconds on restore. These operations typically run at background priority, so it's necessary to give them ample time to run. As part of setting up this asynchronicity, the Backup Manager's internal thread management has been overhauled. It now spins off a single HandlerThread at startup, and runs backup/restore/etc operations *synchronously* in that thread, applying timeouts as appropriate. This means we're no longer spinning up new threads all the time, and furthermore it ensures that we can never have more than one operation in flight at once. Later CLs will remove the now-redundant logic that previously ensured that operations didn't stomp on each other. Bug: 2053560 Change-Id: Ie4315c219c7ff6dd8f51f2ad6c0872595b18cff1
2010-01-27 17:15:49 -08:00
mCurrentOperations.put(token, OP_ACKNOWLEDGED);
mCurrentOpLock.notifyAll();
}
}
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
// ----- Restore session -----
Move towards a formal public API for backup and restore This commit makes a few changes towards establishing a formal application interface for interacting with the backup/restore mechanism: 1. Introduce public wrapper classes around the various binder interfaces; 3rd party code will never see the binders directly. 2. Progress update callbacks during a restore sequence now occur on the main thread, not in a binder thread [and not with system-process permissions!]. 3. Rename the BackupManagerService's inner "RestoreSession" class to avoid ambiguity with the new public "RestoreSession" class.
2010-01-25 19:37:47 -08:00
class ActiveRestoreSession extends IRestoreSession.Stub {
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
private static final String TAG = "RestoreSession";
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
private String mPackageName;
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
private IBackupTransport mRestoreTransport = null;
RestoreSet[] mRestoreSets = null;
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
boolean mEnded = false;
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
ActiveRestoreSession(String packageName, String transport) {
mPackageName = packageName;
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
mRestoreTransport = getTransport(transport);
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
}
// --- Binder interface ---
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
public synchronized int getAvailableRestoreSets(IRestoreObserver observer) {
Need to be able to call the backup manager from the system process.
2009-07-23 18:24:08 -04:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
"getAvailableRestoreSets");
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
if (observer == null) {
throw new IllegalArgumentException("Observer must not be null");
}
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
if (mEnded) {
throw new IllegalStateException("Restore session already ended");
}
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
long oldId = Binder.clearCallingIdentity();
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
try {
Don't NPE if a restore session is requested for an invalid transport
2009-07-13 15:17:13 -07:00
if (mRestoreTransport == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Null transport getting restore sets");
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
return -1;
}
// spin off the transport request to our service thread
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(MSG_RUN_GET_RESTORE_SETS,
new RestoreGetSetsParams(mRestoreTransport, this, observer));
mBackupHandler.sendMessage(msg);
return 0;
Allow zero-length lists in EventLog entries. (I'm verifying that the consumers of EventLog -- logcat, checkin -- are OK with this.) Improve the error handling in RestoreSession.
2009-07-29 12:57:16 -07:00
} catch (Exception e) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.e(TAG, "Error in getAvailableRestoreSets", e);
Make RestoreSession.getAvailableRestoreSets() asynchronous This transaction can involve the transport having to query a remote backend over the wire, so it can take a Long Time(tm). Make it main-thread-safe by making it asynchronous, with the results passed as a callback to the invoker's RestoreObserver. We also make the IRestoreObserver callback interface properly oneway. Bug #2550665 Bug #2549422 Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
2010-03-29 19:14:24 -07:00
return -1;
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
} finally {
Binder.restoreCallingIdentity(oldId);
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
}
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
public synchronized int restoreAll(long token, IRestoreObserver observer) {
Allow zero-length lists in EventLog entries. (I'm verifying that the consumers of EventLog -- logcat, checkin -- are OK with this.) Improve the error handling in RestoreSession.
2009-07-29 12:57:16 -07:00
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"performRestore");
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
if (DEBUG) Slog.d(TAG, "restoreAll token=" + Long.toHexString(token)
Print restore tokens in hex
2009-08-10 15:43:36 -07:00
+ " observer=" + observer);
Less logging in some places. More in others.
2009-07-01 21:04:03 -04:00
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
if (mEnded) {
throw new IllegalStateException("Restore session already ended");
}
Allow zero-length lists in EventLog entries. (I'm verifying that the consumers of EventLog -- logcat, checkin -- are OK with this.) Improve the error handling in RestoreSession.
2009-07-29 12:57:16 -07:00
if (mRestoreTransport == null || mRestoreSets == null) {
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
Slog.e(TAG, "Ignoring restoreAll() with no restore set");
return -1;
}
if (mPackageName != null) {
Slog.e(TAG, "Ignoring restoreAll() on single-package session");
Allow zero-length lists in EventLog entries. (I'm verifying that the consumers of EventLog -- logcat, checkin -- are OK with this.) Improve the error handling in RestoreSession.
2009-07-29 12:57:16 -07:00
return -1;
}
Disallow concurrent backups; consult transport requestBackupTime() * We now check for in-progress backups when asked to perform one, and don't bother firing off another one concurrently (nor do we adjust the scheduling; after all, someone asked to do a backup "now" and we're doing one, so we are in line with expectations). We also defer backup passes while a restore is in flight, and abort attempts to perform a restore during a backup pass. * When a backup attempt fails, we now ask the transport how far in the future we should put our retry. Previously we were simply not bothering to consult with the transport, so we would wind up retrying backup while network connectivity was known to be down, etc. Change-Id: Ic7758010b74e06e90c50d46b7b0dd01b17af7c90
2009-09-24 18:01:46 -07:00
synchronized (mQueueLock) {
for (int i = 0; i < mRestoreSets.length; i++) {
if (token == mRestoreSets[i].token) {
long oldId = Binder.clearCallingIdentity();
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
msg.obj = new RestoreParams(mRestoreTransport, observer, token, true);
Disallow concurrent backups; consult transport requestBackupTime() * We now check for in-progress backups when asked to perform one, and don't bother firing off another one concurrently (nor do we adjust the scheduling; after all, someone asked to do a backup "now" and we're doing one, so we are in line with expectations). We also defer backup passes while a restore is in flight, and abort attempts to perform a restore during a backup pass. * When a backup attempt fails, we now ask the transport how far in the future we should put our retry. Previously we were simply not bothering to consult with the transport, so we would wind up retrying backup while network connectivity was known to be down, etc. Change-Id: Ic7758010b74e06e90c50d46b7b0dd01b17af7c90
2009-09-24 18:01:46 -07:00
mBackupHandler.sendMessage(msg);
Binder.restoreCallingIdentity(oldId);
return 0;
}
Flesh out restore interface on manager; work up most of LocalTransport
2009-06-10 20:23:25 -07:00
}
}
Don't let bmgr leave a restore session hanging on error Specifically, don't wait for the RestoreObserver to be informed that the restore has completed unless performRestore() ran. We were winding up in a case where bmgr was hanging forever waiting on a nonexistent restore process instead of calling endRestoreSession(). Also improve the documentation, explicitly calling out the need to call endRestoreSession() even if previous operations on the session were unsuccessful.
2009-08-10 16:13:47 -07:00
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Restore token " + Long.toHexString(token) + " not found");
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
return -1;
}
Can now restore a subset of apps from historical dataset Adds the ability to filter a restore of an historical dataset so that it only restores certain apps' data regardless of what is actually present in the dataset. This is currently only used by the bmgr command-line tool, for debugging / developer support. Bug 2021590 Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
2011-07-07 14:31:18 -07:00
public synchronized int restoreSome(long token, IRestoreObserver observer,
String[] packages) {
mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
"performRestore");
if (DEBUG) {
StringBuilder b = new StringBuilder(128);
b.append("restoreSome token=");
b.append(Long.toHexString(token));
b.append(" observer=");
b.append(observer.toString());
b.append(" packages=");
if (packages == null) {
b.append("null");
} else {
b.append('{');
boolean first = true;
for (String s : packages) {
if (!first) {
b.append(", ");
} else first = false;
b.append(s);
}
b.append('}');
}
Slog.d(TAG, b.toString());
}
if (mEnded) {
throw new IllegalStateException("Restore session already ended");
}
if (mRestoreTransport == null || mRestoreSets == null) {
Slog.e(TAG, "Ignoring restoreAll() with no restore set");
return -1;
}
if (mPackageName != null) {
Slog.e(TAG, "Ignoring restoreAll() on single-package session");
return -1;
}
synchronized (mQueueLock) {
for (int i = 0; i < mRestoreSets.length; i++) {
if (token == mRestoreSets[i].token) {
long oldId = Binder.clearCallingIdentity();
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
msg.obj = new RestoreParams(mRestoreTransport, observer, token,
packages, true);
mBackupHandler.sendMessage(msg);
Binder.restoreCallingIdentity(oldId);
return 0;
}
}
}
Slog.w(TAG, "Restore token " + Long.toHexString(token) + " not found");
return -1;
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
public synchronized int restorePackage(String packageName, IRestoreObserver observer) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
if (DEBUG) Slog.v(TAG, "restorePackage pkg=" + packageName + " obs=" + observer);
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
if (mEnded) {
throw new IllegalStateException("Restore session already ended");
}
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
if (mPackageName != null) {
if (! mPackageName.equals(packageName)) {
Slog.e(TAG, "Ignoring attempt to restore pkg=" + packageName
+ " on session for package " + mPackageName);
return -1;
}
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
PackageInfo app = null;
try {
app = mPackageManager.getPackageInfo(packageName, 0);
} catch (NameNotFoundException nnf) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Asked to restore nonexistent pkg " + packageName);
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
return -1;
}
// If the caller is not privileged and is not coming from the target
// app's uid, throw a permission exception back to the caller.
int perm = mContext.checkPermission(android.Manifest.permission.BACKUP,
Binder.getCallingPid(), Binder.getCallingUid());
if ((perm == PackageManager.PERMISSION_DENIED) &&
(app.applicationInfo.uid != Binder.getCallingUid())) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "restorePackage: bad packageName=" + packageName
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
+ " or calling uid=" + Binder.getCallingUid());
throw new SecurityException("No permission to restore other packages");
}
Add single-package restore to Bmgr feature set Also sanity-check the package name on the Backup Manager side, failing gracefully if the given package is not a backup/restore participant. Bug: 2293977 Change-Id: I3575046ffcaa3cf45c1c602824baeadd64082f70
2010-02-26 11:27:08 -08:00
// If the package has no backup agent, we obviously cannot proceed
if (app.applicationInfo.backupAgentName == null) {
Switch the services library to using the new Slog
2010-02-26 18:56:32 -08:00
Slog.w(TAG, "Asked to restore package " + packageName + " with no agent");
Add single-package restore to Bmgr feature set Also sanity-check the package name on the Backup Manager side, failing gracefully if the given package is not a backup/restore participant. Bug: 2293977 Change-Id: I3575046ffcaa3cf45c1c602824baeadd64082f70
2010-02-26 11:27:08 -08:00
return -1;
}
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// So far so good; we're allowed to try to restore this package. Now
// check whether there is data for it in the current dataset, falling back
// to the ancestral dataset if not.
Automatically restore app data at install time When an application being installed defines a backupAgent in its manifest, we now automatically perform a restore of the latest-known-good data for that app. This is defined as "data backed up by this app from this handset, if available; otherwise data for this app as it existed when the device was initially provisioned." If neither option exists for the app, no restore action is taken. The CL involves major changes in the Backup and Package Managers... * The Package Manager's act of installing an application has now been split into two separate phases, with a data-restore phase optionally occurring between these two PM actions. First, the details of the install are performed as usual. Instead of immediately notifying install observers and issuing the install-related broadcasts, the in-process install state is snapshotted and the backup manager notified that a restore operation should be attempted. It does this by calling a new API on IBackupManager, passing a token by which it identifies its in-progress install state. The backup manager then downloads [if possible] the data for the newly-installed application and invokes the app's backupAgent to do the restore. After this step, regardless of failure, it then calls back into the Package Manager to indicate that the restore phase has been completed, supplying the token that was passed in the original notification from the Package Manager. The Package Manager then runs the final post-install actions: notifying install observers and sending out all the appropriate broadcasts. It's only at this point that the app becomes visible to the Launcher and the rest of the OS. ... and a few other bits and pieces... * The ApplicationInfo.backupAgentName field has been exposed to the SDK. This can be reverted if there's a reason to do so, but it wasn't clear that this info needs to be hidden from 3rd party apps. * Debug logging of restore set IDs and operation timeout tokens [used during any asynchronous Backup Manager operation] are now consistently in hex for readability. * We now properly reset our binder identity before calling into the transport during restore-set operations. This fixes a permissions failure when a single-app restore was attempted. * The 'BackupTest' test app is no longer lumped onto the system partition by default. Change-Id: If3addefb846791f327e2a221de97c8d5d20ee7b3
2010-02-19 17:02:12 -08:00
long token = getAvailableRestoreToken(packageName);
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
// If we didn't come up with a place to look -- no ancestral dataset and
// the app has never been backed up from this device -- there's nothing
// to do but return failure.
if (token == 0) {
Permission fix: don't require BACKUP perm for self-restores The public API is not supposed to require the BACKUP permission in order for an application to restore its own last-known-good backup data. However, as currently implemented, BackupManager.requestRestore() [the public API in question] depends on private Backup Manager methods that *do* enforce that permission. The net result is that the method cannot be successfully used by third party applications: it will throw an exception if attempted. This CL restructures the permission checking involved. First, the underlying beginRestoreSession() operation can now be passed a 'null' transport name; if this is done, then the restore session is begun on whatever the currently-active transport is. Looking up the name of the active transport is one of the permission-guarded actions that was required with the initial implementation. Second, a package name can now be passed to beginRestoreSession(). If this is done, then the restore session can only be used to perform a single-package restore of that one application. The BACKUP permission is not required if the caller is tying the restore to its own package name. In combination, these changes permit BackupManager.requestRestore() to function without the calling app needing to hold any special permission. The no-permission case is intentionally quite narrow: the caller must hold the permission unless they both (a) pass 'null' for the transport name, thereby accepting whatever the currently active transport is, and (b) pass their own package name to restrict the restore session only to their own app. External bug http://code.google.com/p/android/issues/detail?id=10094 Internal bug 3197202 Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
2010-11-16 15:10:49 -08:00
if (DEBUG) Slog.w(TAG, "No data available for this package; not restoring");
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
return -1;
}
// Ready to go: enqueue the restore request and claim success
long oldId = Binder.clearCallingIdentity();
mWakelock.acquire();
Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
Ensure that the first post-restore backup pass is correct Some restore passes bring an ancestral dataset to the application, but others instead act to bring an app back into sync with its own most- recently-saved data. In the latter case the state file written by the app after the restore is a correct basis for generating future backup deltas, but in the former case it is not. The app should not be required to distinguish between these cases; the framework has all the information necessary to handle the saved state correctly following any flavor of restore operation. This patch makes the Backup Manager properly cause a full backup pass following an ancestral-dataset restore. After a current-set restore the saved state file is an accurate description for purposes of continued backup operations, so is preserved. Change-Id: I5982f32c9bb17fb7c953b465673ced11c40b0d95
2010-10-29 12:57:04 -07:00
msg.obj = new RestoreParams(mRestoreTransport, observer, token, app, 0, false);
Add single-package restore from an app's most-recent data Renamed the RestoreSession performRestore() method to restoreAll(), and added a new restorePackage() method that only restores the single specified app. In order to restore an app other than itself, the caller must hold the android.permission.BACKUP permission. This change also introduces dataset tracking: the Backup Manager persistently remembers both the current backup dataset's identity and that of the "ancestral" dataset, i.e. the one most recently used for a whole-device restore such as performed by SetupWizard. When a single package is restored via restorePackage(), the selection of most-recent dataset to use is this: 1. The data from the currently-active backup dataset, if such exists. An app that has ever backed up data will therefore get its last- known-good data. 2. The app's data from the ancestral dataset, if such exists. This covers the case of a factory reset followed by reinstallation of an app at a later time. The app had not yet backed anything up post-wipe, but the old data is in the ancestral dataset and should be brought forward when the app reappears. 3. If neither 1. nor 2. exist, there is no data to restore, so just skip it and return failure. Note that the infrastructure to automatically attempt a restore after an application has been installed does not yet exist; that's coming. Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
2010-02-04 15:52:40 -08:00
mBackupHandler.sendMessage(msg);
Binder.restoreCallingIdentity(oldId);
return 0;
}
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
// Posted to the handler to tear down a restore session in a cleanly synchronized way
class EndRestoreRunnable implements Runnable {
BackupManagerService mBackupManager;
ActiveRestoreSession mSession;
Allow zero-length lists in EventLog entries. (I'm verifying that the consumers of EventLog -- logcat, checkin -- are OK with this.) Improve the error handling in RestoreSession.
2009-07-29 12:57:16 -07:00
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
EndRestoreRunnable(BackupManagerService manager, ActiveRestoreSession session) {
mBackupManager = manager;
mSession = session;
Allow zero-length lists in EventLog entries. (I'm verifying that the consumers of EventLog -- logcat, checkin -- are OK with this.) Improve the error handling in RestoreSession.
2009-07-29 12:57:16 -07:00
}
Less logging in some places. More in others.
2009-07-01 21:04:03 -04:00
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
public void run() {
// clean up the session's bookkeeping
synchronized (mSession) {
try {
if (mSession.mRestoreTransport != null) {
mSession.mRestoreTransport.finishRestore();
}
} catch (Exception e) {
Slog.e(TAG, "Error in finishRestore", e);
} finally {
mSession.mRestoreTransport = null;
mSession.mEnded = true;
}
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
}
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
// clean up the BackupManagerService side of the bookkeeping
// and cancel any pending timeout message
mBackupManager.clearRestoreSession(mSession);
More bmgr work; fix clear-data signalling The 'list sets' and 'restore token#' commands from bmgr now do what they are supposed to. At this point we see the restore target's data being cleared properly and its agent being launched and invoked for restore.
2009-06-16 11:02:01 -07:00
}
Revamp IRestoreSession a bit We now supply an array of RestoreSet objects instead of wacky Bundle shenanigans. Also, pushed beginRestoreSession() out to the BackupManager concrete interface class so that SetupWizard can use it. (beginRestoreSession() is @hide, non-privileged apps cannot use it. It's also guarded by android.permission.BACKUP enforcement.)
2009-06-08 15:24:01 -07:00
}
Time out orphaned / unresponsive restore sessions An app that fires up a restore session but then crashes or drops its session reference will currently render restore functions totally unavailable until the device is rebooted. This CL introduces an inactivity timeout [currently 60 seconds] on restore sessions, after which the session is shut down and becomes unavailable to the app who nominally still held it. Synchronization between the timeout and the normal asynchronous use of the session by the application is managed by running both the timeout action and the normal teardown process on the backup manager service's handler thread. Bug 3276362 Change-Id: I1f63b83e96e66b0e7eb15a1e20e375049babf06e
2010-12-13 18:27:26 -08:00
public synchronized void endRestoreSession() {
if (DEBUG) Slog.d(TAG, "endRestoreSession");
if (mEnded) {
throw new IllegalStateException("Restore session already ended");
}
mBackupHandler.post(new EndRestoreRunnable(BackupManagerService.this, this));
}
}
More backup work * Put in some permission enforcement around agent connection notification and full-backup scheduling. * Full backup now applies to any package, not just backup participants who have declared their own android:backupAgent * The process of running the backup operation on the set of apps who have been queued for it is now done in a separate thread, with a notification mechanism from the main Backup Manager service to pass along new-agent binding knowledge. There's no longer one do-backup message on the primary Handler per target application. * The new backup thread sets up the desired transport now and passes along the newly backed-up data to it for each backup target. Two transports have been defined so far, GoogleTransport and AdbTransport; both are stubs at present. Note that at present the backup data output file seems to be properly created, but after doBackup() is called on the test app's agent it's still zero size.
2009-06-02 16:11:00 -07:00
More backup tests
2009-05-06 18:06:21 -07:00
@Override
public void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
Print currentDestinationString() for each backup transport when doing a "adb shell dumpsys backup" Change-Id: I9a7d080ad50b715f693f3e16cae3d6e5b1189d47
2011-01-12 18:47:14 -08:00
long identityToken = Binder.clearCallingIdentity();
try {
dumpInternal(pw);
} finally {
Binder.restoreCallingIdentity(identityToken);
}
}
private void dumpInternal(PrintWriter pw) {
More backup tests
2009-05-06 18:06:21 -07:00
synchronized (mQueueLock) {
Make enable/provisioning of the backup service a two-step process This CL adds the concept of 'provisioned' to the backup manager. No backups will be scheduled until the user has indicated that backups are to be enabled *and* has clicked all the way through the setup wizard. When the user first turns on the backup system, the delay before the initial backup pass is different from the periodic backup interval. Currently that initial delay is 12 hours. The intent here is to guess at a less-active time for performing that first backup pass. NOTE: currently the backup service defaults to 'provisioned'. Once the real code goes live in Setup Wizard, this will be changed to default to not-provisioned until the user has confirmed all the relevant UI.
2009-07-06 16:36:05 -07:00
pw.println("Backup Manager is " + (mEnabled ? "enabled" : "disabled")
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
+ " / " + (!mProvisioned ? "not " : "") + "provisioned / "
Get rid of now-superfluous "backup or restore in progress" tracking Now that backup/restore/etc operations are queued and serialized, we no longer need to use external state tracking to prevent overlapping operations. Change-Id: I14f2a5d740cb97ae062aad55a06f49a2be5dd985
2010-02-02 15:18:58 -08:00
+ (this.mPendingInits.size() == 0 ? "not " : "") + "pending init");
Fix the build Change-Id: I41616afc75a3366ea7e9e79ac7ea4c46d1863d83
2010-02-25 17:13:28 -08:00
pw.println("Auto-restore is " + (mAutoRestore ? "enabled" : "disabled"));
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
pw.println("Last backup pass: " + mLastBackupPass
+ " (now = " + System.currentTimeMillis() + ')');
pw.println(" next scheduled: " + mNextBackupPass);
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
pw.println("Available transports:");
for (String t : listAllTransports()) {
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
pw.println((t.equals(mCurrentTransport) ? " * " : " ") + t);
try {
Print currentDestinationString() for each backup transport when doing a "adb shell dumpsys backup" Change-Id: I9a7d080ad50b715f693f3e16cae3d6e5b1189d47
2011-01-12 18:47:14 -08:00
IBackupTransport transport = getTransport(t);
File dir = new File(mBaseStateDir, transport.transportDirName());
pw.println(" destination: " + transport.currentDestinationString());
pw.println(" intent: " + transport.configurationIntent());
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
for (File f : dir.listFiles()) {
pw.println(" " + f.getName() + " - " + f.length() + " state bytes");
}
Print currentDestinationString() for each backup transport when doing a "adb shell dumpsys backup" Change-Id: I9a7d080ad50b715f693f3e16cae3d6e5b1189d47
2011-01-12 18:47:14 -08:00
} catch (Exception e) {
Slog.e(TAG, "Error in transport", e);
Only re-initialize backup state if @pm@ metadata is missing, to defensively work around a still-mysterious bug where the list of saved packages ends up being empty even though we still have state pending. If we do re-initialize, then wipe all state to make sure the right thing happens. Don't keep open journal files -- close them after every update. A bit less efficient, but possibly more reliable (again, this is defensive programming here). Also change "rwd" to "rws" mode for fully synchronous operation.
2009-09-30 11:20:45 -07:00
pw.println(" Error: " + e);
}
Use system properties to track the current transport This change retools the transport selection mechanism a fair bit. Transports are now specified by name rather than by numeric ID, and the name of the currently selected transport is stored in a persistent system property under the name "persist.service.bkup.trans". The name -> IBackupTransport translation is now handled by maintaining a map from the names to the live IBackupTransport objects that correspond. The Google transport service observer now registers and unregisters the transport as the service goes up and down. The bmgr command has been expanded to include real transport interrogation and selection by name, and some documentation has been written for it.
2009-06-26 21:07:13 -07:00
}
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
pw.println("Pending init: " + mPendingInits.size());
for (String s : mPendingInits) {
pw.println(" " + s);
}
More backup tests
2009-05-06 18:06:21 -07:00
int N = mBackupParticipants.size();
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
pw.println("Participants:");
More backup tests
2009-05-06 18:06:21 -07:00
for (int i=0; i<N; i++) {
int uid = mBackupParticipants.keyAt(i);
pw.print(" uid: ");
pw.println(uid);
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
HashSet<ApplicationInfo> participants = mBackupParticipants.valueAt(i);
for (ApplicationInfo app: participants) {
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
pw.println(" " + app.packageName);
More backup tests
2009-05-06 18:06:21 -07:00
}
}
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
pw.println("Ancestral packages: "
+ (mAncestralPackages == null ? "none" : mAncestralPackages.size()));
Fix 'dumpsys backup' "for (Type foo : mSetOfType)" doesn't work when mSetOfType is null. Change-Id: Iac667c7309f99b12d3147830e166b542b29cba5f
2010-04-04 17:45:35 -07:00
if (mAncestralPackages != null) {
for (String pkg : mAncestralPackages) {
pw.println(" " + pkg);
}
Remember which apps have available restore info in the ancestral dataset When we perform a full-system restore, remember the set of applications which have data available in our ancestral dataset. This is a key filter for not having to do a round trip to the [remote] storage backend at app-install time unless it is likely to be fruitful. Change-Id: I7c77b490c560c581888d84f02f258b2e2d73bc69
2010-02-08 16:22:24 -08:00
}
Ensure that everything gets backed up at least once We now schedule a backup pass for any new application we see (at boot or package-install time) for which we have never performed a backup. The bookkeeping is a log file with the names of all the packages we've successfully completed a backup pass on, maintained with synchronous journal-type behavior. Also, make a bunch of private fields package-scoped to permit cheaper access from the various worker / binder threads that run under the Backup Manager's aegis.
2009-07-15 14:18:26 -07:00
pw.println("Ever backed up: " + mEverStoredApps.size());
for (String pkg : mEverStoredApps) {
pw.println(" " + pkg);
}
Add more useful-for-debug info to 'dumpsys backup' Change-Id: I52e20bac01ff63feaf28920a79311881992293a3
2009-09-29 17:17:34 -07:00
pw.println("Pending backup: " + mPendingBackups.size());
Add app version to the backup metadata We now record the version number of the app (drawn from its manifest versionCode attribute) along with its signatures. At restore time, we compare the version associated with the restore set with the version present on the device. If the restore set is from a newer version of the app than is present on device, we do not perform the restore operation. Also fix the pending-backup iteration in 'dumpsys backup'.
2009-06-19 14:14:22 -07:00
for (BackupRequest req : mPendingBackups.values()) {
Implement persistent enable/disable of the backup manager Backup & restore is still enabled by default, but with the expectation that it will be enabled during the course of the Setup Wizard or some other privileged entity that has notified the user about the ramifications. While disabled, data-changed notices will still be collected, but no backup pass will be scheduled. When the backup manager is later enabled, any pending data-changed notices will then be processed and the apps invoked for backup.
2009-06-29 14:56:28 -07:00
pw.println(" " + req);
Retool the backup process to use a new 'BackupAgent' class Backups will be handled by launching the application in a special mode under which no activities or services will be started, only the BackupAgent subclass named in the app's android:backupAgent manifest property. This takes the place of the BackupService class used earlier during development. In the cases of *full* backup or restore, an application that does not supply its own BackupAgent will be launched in a restricted manner; in particular, it will be using the default Application class rather than any manifest-declared one. This ensures that the app is not running any code that may try to manipulate its data while the backup system reads/writes its data set.
2009-05-14 11:12:14 -07:00
}
More backup tests
2009-05-06 18:06:21 -07:00
}
}
First baby steps towards settings backup This change adds a sketched outline of the backup system architecture, with all of the major pieces represented other than client-side helpers for specific types of data. IBackupManager and BackupService are public so that we can write test apps against SDK-domain symbols from the outset. What code exists in this change hasn't been tested and may crash. It's the beginnings of the real implementation but of course is barely begun.
2009-04-29 14:03:25 -07:00
}
Reference in New Issue Copy Permalink