If the scheduled job fires but backup is disabled or the device is
not yet provisioned (i.e. has not yet finished going through setup),
bow out gracefully without running any backup operations. Also, even
if a backup is directly invoked (e.g. via adb), verify again right
before we start collecting app data, and abandon the operation in
that path as well.
(This is redundant; having only the latter test would suffice, but
this lets us distinguish in the logging more easily.)
Finally, make sure that if we were waiting on setup before permitting
backup operations to begin, that we startup the full-data scheduling
as well as the [separate] key/value scheduling.
Bug 19197062
Change-Id: I3d8fb650c50f946d8ed7ac7170df361c707f2528
Redundant backup traffic is bad. Don't commit the widget metadata payload
(or the deletion operation for it) unless the widget state of the app has
actually changed since the last backup.
Bug 19003911
Change-Id: I93819173c0e2357b030d9e2b3d2ee57f2410bb57
We now cleanly handle the case of the transport blacklisting specific
packages from key/value backup. Previously we would halt the entire
backup pass and reschedule if the transport returned any error from
performBackup(pkg). Now, we recognize the TRANSPORT_PACKAGE_REJECTED
result from that invocation, and properly drop that package's work
but proceed with running the rest of the backup queue as expected.
Bug 18694053
Change-Id: Id0dd6d59492bdea9f970540d776f37db0cc5d99c
If a whole-system restore operation failed at just the wrong point,
we'd wind up in the teardown code without a certain vital bit of it
having been initialized, and crash on the null pointer. Now we
recognize this failure mode and make sure not to do that.
Bug 18574450
Change-Id: Ifa2c10ce16bb3c6bc916ed7151c5fd51b7225691
The heavy implementation of the backup manager service is now sitting
behind a lightweight trampoline that actually provides the binder
call interface. The indirection allows us now to tear down the
implementation on the fly without breaking callers who have cached
binder references to the backup services: these callers will simply
see their future invocations failing benignly.
In addition there is now an API for suitably privileged callers such
as device policy management to effect this turndown.
Finally, there is now a static system property, "ro.backup.disable",
that a product can use to outright remove backup/restore operation
from the system's operation. The public APIs will continue to be
safely usable on such products but no data will be moved to or
from the device.
Bug 17367491
Change-Id: I8108e386ef3b5c967938fae483366d6978fe4e04
Ensure that the callback always sees the current-operation state in sync
with the various other bits of internal backup-operation state. Previously
only the current-operation state was managed inside the critical section;
this resulted in a slim race window where a callback could see an ongoing
operation as still valid, but after the internal state on which that
operation depended had already been cleared.
Bug 17931760
Change-Id: Ia032668e7a9d22f1029c57fc98db9e86484d5719
The restore-session idle timeout should not be ticking while we're
doing legitimate restore work. We now explicitly stop the timeout
ticker [a delayed message on our handler thread] whenever we undertake
a valid restore operation. The timer is already correctly resumed
when restore operations conclude.
(In practice we need to suspend the timeout tracking at exactly those
times when we're entering the wakelock-protected restore flow. The
timeout is reestablished when the wakelock is released; this part
is already in the code.)
Bug 17990544
Change-Id: I7318020ce30fd9c35bc3a644f8c101fd3d063c8b
We know a priori that the PMBA metadata package's backup pass
doesn't need to be tracked for timeout, because it's run inline
rather than as an asynchronous separate-process operation.
Change-Id: Ifd21ab3a016917f5e557a38c1c88f8d8ac1337d2
Before beginning a full-system restore we need to tell the widget service,
so that it can properly start remapping IDs from the ground state.
Bug 17869323
Change-Id: I152257563f5b52cae67244e936bc2c44ced7618d
Bug 17811327 : teach adb restore about the new widget metadata entries
Bug 14165872 : -nosystem should not act like -onlysystem
Change-Id: I39da0ba80df7c5309a78ec1fa38016cebd80aa5f
For fallback / rollback of backup transport selection we need to
handle live enable/disable of legacy or superseded transports.
We now watch for component enable state changes in packages that
host transports, and rebind as needed.
The semantics for selecting the current transport have also been
adjusted. We no longer require that the selected transport be
live and currently bound in order to be designated as the active
instance. This prevents nondeterministic races around upgrade
and replacement.
Bug 17136637
Change-Id: Idaf45cf4522a23576444e6b11626ee3f7f47c36c
...around writing settings. It does its own proper permission check;
it just needs to make sure not to accidentally crash the caller in
strange and wondrous ways because of failing to clear binder identity
before writing the result to secure settings.
Bug 16542048
Change-Id: I88d1f2dbeebd24eed5d86989f0ca0d834878b054
Provisioning is a milestone used for gating *backup* operation,
but it's important that restores be possible during the setup
process. In particular, some applications such as home apps may
be deliberately pushed for install after platform restore, but
before the end of the setup process. We need to be able to do
install-time restores of such apps.
Bug 17288313
Change-Id: Iaff5d9919e6392b2ca5925be4d63a4116cd11f77
The "what have we ever succesfully backed up?" log is used to determine
whether we can do an install-time restore from the currently-live dataset
rather than go back to the ancestral dataset (if any). We now track
apps that have gotten a successful full-data backup through the transport,
not just key/value backups.
Bug 17263823
Change-Id: If21350a8dd8aaa4ed02fb74101617e935920e4ae
They'll be rebound automatically at boot, but need to be brought
up immediately. As always they can only be provided by privileged
apps.
Bug 16542048
Change-Id: I9f121a5c111a772deb3f0c44166002a2cbb16ad5
New behavior. Backup no longer uses the encryption password. This is in
part because that is hard with patterns, in part because it is a security
issue - the off line backup is much easier to brute force than the phone.
Instead, we simply insist on an encryption password if your device is encrypted
and locked.
Bug: 17159330
Change-Id: Ia22f84722522abf0b569a3ef1e16ead5527c726d
When a package is updated, existing bindings to that package's
services are severed and must be manually re-established. Now
that the transport can be updated outside the system per se,
make sure that we detect these cases and rebind as needed.
Bug 16139912
Change-Id: I5d6fa75bb86484f8f7d4f8e93c9157773995e6a7
If an app is trying to do the right thing and end its restore sessions
cleanly, but winds up being slow and having the session timed out from
under them, don't crash them with an illegal state exception for having
appeared to end the session twice.
Bug 17133115
Change-Id: I0a0989e2067b156569bddb6626ce045e625c6604
1. We were missing a 'break' in the session-timeout case of
message dispatch, so were falling through into a different
case. Oops. Fortunately it was benign; the other case's
logic was merely logging "hey it doesn't look like there's
anything to do here" and cleanly exiting.
2. After a restore operation finishes we were previously
always leaving the session timeout clock running. However,
this was not appropriate in the case of restore-at-install,
when the restore was a one-shot kicked off by the package
manager rather than an operation on an ongoing RestoreSession.
That logic now properly tidies up the session timeout when
winding up the restore in either situation.
Bug 17080648
Change-Id: I51d4a50db4feefc4c355230a3bfb926ea2fb5944
Harden the guarantee that if we're asked about a possible restore,
we always ALWAYS report back to the package manager. This involved
closing "should never happen" edge cases around provisioning/auto-restore
setting that nevertheless were happening.
Also, on the auto-restore setting front, make sure to plumb that
system API through appropriately, since going behind its back and
manipulating the secure setting directly would cause things to get
out of step.
Bug 17060654
Change-Id: I52ca9c1ffbfc0bd6b57196157500d0868bfc2989
The duplicated implementations are an artifact of an ongoing
refactor of the full-data restore code. The adb-specific path
will be switched to use the FullRestoreEngine [as has already
been done for the 'adb backup' path using the parallel full
backup engine], at which point the extra implementation here
will be removed, but for now we need to make sure that all
bases are covered.
Bug 16298491
Change-Id: I9cdb8a1c537939a620208df3cf0e921061b981ad
We want to make sure that the manifest and widget metadata
blocks are identical, including their in-stream headers, if
we regenerate the archive without underlying filesystem changes.
Bug 15968355
Change-Id: I828b264545d19e1d865d98d5723915d02fafc012
Initial policy: at most daily; backups only run when the
device is idle + charging + on an unmetered network.
Bug 16485874
Change-Id: I5665d890a943bac765adcef14be79d7dba6ce078
* Fix crasher after transport-level failure attempting to ask for
the name of the next package to be restored
* Current-dataset single-package restore path no longer requires
that the package have its own backup agent.
Bug 16548983
Change-Id: Id37f2f0e6075d53c414d9a997bf738bbf0cfff8b
The restore engine wasn't tearing down the bound agent after reaching
the end of data for the app, and furthermore was allowing the restore
operation to resume running the queue before all data had been delivered
to the current target.
Also make LocalTransport deliver data in 2K chunks rather than 32K,
as a first step towards making its timing characteristics more like
we'll see in networked situations.
Finally, added a bunch of MORE_DEBUG output for finding odd bugs
like this.
Change-Id: Icdbe6a070af6cc7c708a938ad044108d40ebce9a
The agent's onRestoreFinished() method is called after all available
data has been delivered to the app, whether via the key/value restore
API or the full-data file-at-a-time API. This gives the app a stable
opportunity to do any postprocessing that might be appropriate.
Also fixes a lingering bug in the framework's handling of backup
agent lifetimes. In cases where an existing agent instances was
being rebound, the framework was forgetting to notify the dependent
that the agent was available. This was causing timeouts and restore
failure.
Bug 16241004
Change-Id: I3f52b299312d30d38b0cba63a2cfaeb934991ef2
Even if we later get an error from sendBackupData() we need to give
the transport its teardown callback. This simplifies the transport
logic considerably.
Change-Id: Ib8c0e210d4a876ee6b083a4d619dfccc462da4e5
This is an app-private filesystem space exactly like the one
reported by Context.getFilesDir(), with one exception: files
placed here are never backed up by the full-backup infrastructure.
If an app attempts to back up any of its contents via the normal
API it's immediately ignored with a logged warning.
The restriction is also enforced on the restore side, because
apps using support libraries might wind up creating full backup
archives containing no_backup subdirs on pre-L devices (via
adb backup, Helium, &c.). We check for this before passing the
restore data to the app, and drop it if we detect the situation
so that the app never sees the bits.
Bug 16240573
Change-Id: I11216a391f1d32117ec7ce15aafc9cd93d0337de
Now that all the other pieces are in place, we're ready to start
installing new file-based packages as a cluster (the new unified
directory-based layout). This greatly simplifies the renaming
process.
Also add helper methods to ApplicationInfo to give a much clearer
mapping between it and internal field names, since we can't change
the public API.
Add recursive restorecon().
Bug: 14975160
Change-Id: I72a63c5ddbc594c2fec4a91dd59f73ef253fbfd7
Transport-based restore now handles both key/value and full-data
(stream) data delivery.
Also: PMBA now holds metadata for *all* apps, not just those with
backup agents. Since we need to consult this for every restore-
at-install operation we cache this locally now, tagged per transport
and per remote dataset, to avoid having to re-download it as part
of every future restore operation.
Also fixed a bug in LocalTransport that was preventing restore of
key/value datasets, i.e. all of them that were nominally available
prior to this change.
NOTE: at present there is no automatic full-data backup; if for
testing purposes you need to create some to then use for restore,
you still need to use 'bmgr fullbackup ...' to push them.
NOTE: at present the unified transport restore uses a refactored
"engine" implementation to handle stream data that encapsulates
the existing "adb restore" implementation. However, the adb
restore code path has not yet been refactored to wrap the newly-
extracted engine version; it still contains its own copy of all
the relevant logic. This will change in a future CL, at which
point offline/USB archive restore will simply wrap the same
shared stream-restore engine implementation.
Bug 15330073
Bug 15989617
Change-Id: Ieedb18fd7836ad31ba24656ec9feaaf69e164af8
We need the transport to tell the system not only what package it's going
to deliver data for next, but also what format that data is in.
Change-Id: I989cf78febf923a4208acb33ed80ccc7869356f5
Currently no timed/scheduled full-data backup operations are
performed by the OS, but the plumbing is now in place and can
be tested using 'adb shell bmgr fullbackup pkg [pkg2 pkg3 ...]'.
The LocalTransport test transport implementation has been augmented
to support the new full-data backup API as well.
In addition, 'adb backup' now takes the -compress/-nocompress
command line options to control whether the resulting archive is
compressed before leaving the device. Previously the archive was
always compressed. (The default is still to compress, as it will
usually reduce the archive size considerably.)
Internally, the core implementation of gathering the full backup
data stream from the target application has been refactored into
an "engine" component that is shared by both 'adb backup' and the
transport-oriented full backup task. The archive file header
generation, encryption, and compression logic are now factored out
of the engine itself instead of being hardwired into the data
handling.
Bug 15329632
Change-Id: I4a044faa4070d684ef457bd3e11771198cdf557c
Also started migrating the definition of transport success/failure constants
into BackupTransport to make them permanent.
The new methods are not yet plumbed in; this is just to allow forward
progress against a proposed stable API.
Bug 15329632
Change-Id: I27472e09b831350c140b9fa548ebda3af334eb1a
