The bug was that when an app was uninstalled, the Backup Manager was
discarding its bookkeeping about that app being represented in the
device's current live backup dataset. This in turn meant that if the
app was subsequently reinstalled, its data would not be restored from
that most-recent dataset: it would be restored from the *ancestral*
dataset if possible, or not at all.
Now the "ever backed up" state is retained correctly, and the app
will get its most-recent-data restored as expected.
Bug 7394519
Change-Id: I733cf41737765676e0a3a05fb1bcd32b165cb4ba
Two distinct changes:
Fix a bug seen in the wild where a newly-launched application will be
spuriously asked to instantiate a backup agent. What was happening
there is that some Activity Manager state was being left stale in certain
circumstances, and then in combination with app uninstall / install, there
could be a case where uid reuse wound up looking like an app identity
match.
We now positively verify before instantiating the agent that the intended
backup target package is uid-compatible with the app process that the
instantiation was requested of. The incomplete bookkeeping in the
Activity Manager has also been tightened up, and the Backup Manager is
more aggressive about cleaning up pending operations pertaining to
apps being uninstalled.
Bug 5874010
Change-Id: Ic389f4a96c9dcd0ba6b3962b579084033d8ae9f8
(1) Prevent full restore from creating files/directories that are
accessible by other applications
(2) Don't restore filesets from "system" packages; i.e. any that runs
as a special uid, unless they define their own agent for handling
the restore process.
Bug 7168284
Change-Id: Id6a0cb4c113c2e4a8c4605252cffa41bea22d8a3
Fixed one setting that was migrated but not marked deprecated.
Removed a hidden setting that is no longer used by the new
power manager service.
Bug: 7231172
Change-Id: I332f020f876a18d519a1a20598a172f1c98036f7
When building external storage paths, always include user in path
to enable cross-user paths and aid debugging.
Each Zygote process continues to only have access to the appropriate
user-specific emulated storage through bind mounts. A second set of
mounts continue supporting legacy /sdcard-style paths. For example,
a process running as owner has these mount points:
/storage/emulated_legacy
/storage/emulated_legacy/Android/obb
/storage/emulated/0
/storage/emulated/obb
Since Environment is created before Zygote forks, we need to update
its internal paths after each process launches.
Bug: 7131382
Change-Id: I6f8c6971f2a8edfb415c14cb4ed05ff97e587a21
When a restore dataset includes data for an app that used to have
a backup agent, but does not in the currently-installed version, we
were merrily trying to bring up the agent for restore anyway, and
crashing. Now we don't do that; we check whether there's actually
going to be an agent to handle the data before doing any of the
heavy work.
Bug 7130695
Change-Id: I0a38c2a8bb51d4a140a72d22896fa58d98ebaa02
Replaced all remaining places that used it with explicit user
specification.
While doing this, I ran into stuff that was creating PendingIntent
objects (that now need to specify the explicit user they are for),
which are also posting notifications... but have no way to specify
the user for the notification.
So the notification manager in the system process now also gets a
formal concept of a user associated with the notification, which
is passed in to all the necessary aidl calls. I also removed the
old deprecated aidl interface for posting/cancelling notifications,
since we now always need a user supplied.
There is more work that needs to be done here, though. For example
I think we need to be able to specify USER_ALL for a notification that
should be shown to all users (such as low storage or low battery).
Along with that, the PendingIntent creation needs to be tweaked to
be able to handle USER_CURRENT by evaluating the user at the point the
pending intent is sent.
That's for another change, however.
Change-Id: I468e14dce8def0e13e0870571e7c31ed32b6310c
For now only the device owner "user" gets cloud backups. Also, only the
device owner account has access to local backup/restore.
Bug 6956438
Change-Id: I87d7ba5969e606c23f4214469f9bf2fd47a6c61b
Previously, the setup app was responsible for telling the backup
manager through a side band that the user had passed through the
backup/restore-related portion of the setup flow. Now that the
flow has been streamlined and certain mandatory portions of it
are no longer relevant, we can ditch the whole idea of the backup
manager's internal "provisioned" state. This makes setup and the
setup "wizard" applications less fragile as well as eliminating
the possibility of unrecoverable "backup was never provisioned"
failure modes.
Now, the only check the backup manager has to do is against the
full "device is provisioned" flag, just like all of the other
components on the phone that only become usable after the setup
process has exited [such as phone calls].
Bug 6493520
Change-Id: I13ec8dd8baa1e74ed8569b0326219a98a7f632a9
This never worked properly; now it does. We also no longer
do a redundant pair of remove/add operations when a package is
updated.
Bonus memory savings: we were keeping sets of ApplicationInfo
objects as part of the ongoing bookkeeping, but those were no longer
being used for anything other than the package names. That's been
tossed out now and only the name strings are now used; hooray for
memory savings!
Change-Id: I4c6e592a1680e28550bcb4f76789260ded22280d
Previously, if using the "local" debugging transport:
adb shell bmgr wipe com.android.browser
adb shell bmgr wipe com.android.browser
... would bring down the runtime. This no longer happens. The fix
covers two aspects of the situation: 1. the local transport no longer
blows up in this use case, and 2. the backup manager itself now catches
blowups on the part of the transport, and tidies up after them.
Bug 6205185
Change-Id: Ieb9b8827a62523148ad5a0ec15b05a954d198b3d
In particular, if the low-level zip or crypto layers of the output
pipeline throw, the output becomes invalid at that point, but we
were not properly detecting this; we were missing the exception and
the runtime was going down. Now we catch any such fatal exception
and make sure to shut down the backup operation cleanly, leaving
the output at whatever point in its construction that it had
achieved.
Bug 6131870
Change-Id: If0fe0337857404b776f407a79d11dd88b8e60fd0
Fixes a crash that would occur if an app with a pending backup
pass in the pipeline was updated to remove its agent declaration
from the manifest (or other more esoteric ways that a backup
pass was expected to run for an app without their own agent).
Bug 5776591
Change-Id: I5a8bc8c12de6a2bfa82f5093fe3a15b754109ab1
Switching activity stacks
Cache ContentProvider per user
Long-press power to switch users (on phone)
Added ServiceMap for separating services by user
Launch PendingIntents on the correct user's uid
Fix task switching from Recents list
AppWidgetService is mostly working.
Commands added to pm and am to allow creating and switching profiles.
Change-Id: I15810e8cfbe50a04bd3323a7ef5a8ff4230870ed
The special shared-storage step was mistakenly writing its data directly
to the USB output pipe rather than to the proper stacked data handling
chain that applies compression and encryption. Fix this by getting rid
of the custom handling of the shared-storage data, instead folding it
into the normal data handling flow [with a small amount of additional
management because e.g. it doesn't need a "manifest" pseudofile in the
archive stream].
Fixes bug 5897791
Change-Id: I3995b07963334d2f8cce49b247c87d3d3ff93bed
Plug a couple of apparent code paths (one not obviously reachable, but
fixed here on general principles) that could lead to a backup pass
getting confused partway through and simply never properly completing.
In this state it would leave its wakelock held forever until next
reboot. Bug 5828859.
Those fixes are a total of two lines of code. The rest of the patch
adds a textual journal of the most recently completed (or ongoing!)
backup pass's progress, with an eye to being able to isolate any such
issues that may crop up in the future.
Change-Id: If8a5e8aba11db5a1e618d8b9c9ba3038dd5377a1
In particular, don't do O(asec_apps * installed_apps) work during the
broadcast receiver's operation. On devices with many installed apps
and a large number of them moved to ASECs, this was causing the system
process to become unresponsive and the watchdog to fire -- which in turn
would initiate a restart loop, as the same package-installed broadcast
would then be issued again once the package manager rescanned the ASEC
containers, ad infinitum. With this change, the expensive call to the
package manager is only made once rather than asec_apps times.
Bug 5850283
Change-Id: I14e280ea1fa6af19cebc58869a20fbb599c92c8c
This supersedes any backup-password that the user might supply. Per
design, the device encryption password is also always used to encrypt
the backup archive.
The CL introduces two new strings, used for prompting the user for
their device encryption password rather than their settings-defined
"backup password" when confirming a full backup or restore operation.
Bug 5382487
Change-Id: I0b03881b45437c944eaf636b6209278e1bba7a9f
Although it's typical for a backup transport to report that it
needs an explicit initialization opportunity when the backup is
initiated, it can sometimes come to pass that the "needs init"
error condition is reported at backup *finish*. In this case the
framework side was failing to properly reset all of the relevant
state. The end result was to spin hard forever, holding wakelocks
and continually failing to actually perform the necessary init
operation, possibly continuing even after a reboot. Fixed.
Bug 5434579
Change-Id: If1d72c338526e4019ea524c48a11e71e44e77f71
We've seen cases (bug 5417779) where the transport kicked off an immediate
backup operation but then was perfectly content to allow the periodic
timer to start *another* pass concurrently while the first was still in
progress. This wound up with the backup manager getting mightily
confused and leaking wakelock acquisitions, which is Very Bad(tm).
This patch adds a little bookkeeping so that the backup manager is aware
of backups in flight, and refuses to kick off a new one until the ongoing
one has finished.
Change-Id: If12b54f4db3effc8af36d31c58d8f9b415ddc01e
This makes it easy to back up everything that belongs to 3rd party apps, but
nothing that comes with the system per se. If any system packages are
explicitly named on the command line they will be included in the backup
even if -nosystem was passed. So, for example, this will back up all 3rd
party apps as well as system settings, but nothing else belonging to
system-deployed apps:
adb backup -all -nosystem com.android.provider.settings
Bug 5361503
Change-Id: Iebe04b7d7027ca58b9f55e8eb7f219d6cca69269
The text of the dumped output can potentially include an email address;
we don't want random code to be able to read it.
Bug 5389201
Change-Id: If84886357a36b7015878e4d72017abba83b4c511
Casualty of the recent refactoring: in this particular error case,
the restore sequence wasn't being directed into the finalization
state. Fixes bug 5336295.
Change-Id: Ibf5570cd1003e123da8b561685de8479663340ce
On the restore side, there's a bunch of one-time setup, device
provisioning, etc that we're very much not prepared to do in
lieu of running setup wizard, at least at this time.
On the backup side, it simply doesn't make sense to back up
stuff before the device has been set up.
Part of bug 5290261
Change-Id: If1c65e88e2da589d6204232d2b59c3e994f4ed3f
Running full backup/restore on the Backup Manager looper thread causes problems.
It not only interfered with the delayed-Message timeout processing; in the case
of installing apks during restore it also interfered fatally with the interaction
between the Package Manager and install-time restore of data from the cloud.
The long-term right thing to do here will be a refactoring of full backup and
restore to be structured as the sort of state-machine process that incremental
backup and restore now use. This is particularly thorny in the case of full
restore (due to the Package Manager interactions), and full backup/restore are
considered experimental at this point, so that refactoring is deferred to a
future release. The current process is essentially standalone, so the bug is
fixed here pro tem by letting it run to completion on its own thread, freeing
the looper for normal work.
Fixes bug 5173450
Change-Id: I659a61afa18ffe7fde1a07f7fa0e860d5e8d5a89
This patch parallels the previous one that fixed backup timeouts.
It establishes the same sort of state-machine process for walking
through the restore steps solely as events posted to the backup
manager's HandlerThread.
Fixes the rest of bug 5074923
Change-Id: I122a021cb1e9bb1342de0b71e5d4bc84cc630c58
Away in the misty span of very-long-ago, it was suggested that spinning
a separate thread to run the backup process was wasteful, and that it
could just run it inline on the dedicated HandlerThread that the
backup manager uses for its own operations. That was indeed true,
except that the timeout management was also using delayed messages
to that handler. You see where this is going: timeouts were never
actually being processed, with the effect that a badly-behaving
app's backup agent could lock up the entire backup / restore system
until the device was rebooted.
This is bad.
Backup operations are now driven as an asynchronous state machine:
each step (init, call one agent to obtain data, send resulting
data to the transport, finalize the backup) is handled as a formal
state transition on-looper. No synchronous wait-for-completion
or -timeout is performed on any thread.
As an additional effect this greatly tightens up the serialization
and locking semantics. We no longer have to worry about an in-
flight operation involving a standalone thread spinning off on
its own; everything is on the HandlerThread and can be coherently
manipulated from that perspective.
Along the way, this CL tightens up the per-agent error handling
logic. Previously a single failed agent would abort the entire
backup process, tantamount to a transport-level failure. This could
mean that the aforesaid badly-behaving app's agent could in effect
starve out other apps whose agents were routinely showing up later
in the queue. There's some nondeterminism involved, but in practice
it could and did happen. Furthermore, the failure case would
reschedule *immediately* in this case, because the transport itself
would see that all is well and sure, why not run a backup soon?
This, as you might imagine, causes battery-life issues.
Now we note that the single agent has failed, mark it for a future
repeat attempt, and process the rest of the queue normally, pretending
success at the transport level even though we didn't actually send
any data for that app. This means that (a) we now finish running
backups for everything in the queue, (b) reschedule backups only for
those apps whose agents individually failed during this run, and
(c) perform the retry after the normal interval [typically on the
order of an hour] rather than immediately.
NOTE: this CL does not retool the restore code path, just backup.
Restore is similarly vulnerable to misbehaving apps, though, so a
future CL will address that bug vector.
Addresses bug 5074923
Change-Id: I67e3f8d06f322607881eaa4093de6d675b85ff2c
Certain kinds of application update generate this broadcast regime rather
than the REMOVE / ADD sequence that results from e.g. using the -r option
when invoking 'adb install'.
We also push the agent classname lookup to the last moment before
actually running the backup, rather than caching it as part of the
record of what apps need a backup pass in the future. This was causing
a bug in which a package reinstall that renamed the app's agent class
would wind up with a crash at backup time, trying to load the wrong
class.
Fixes bug 5156094 / bug 4308977
Change-Id: I4e3e12d86e6ee40809f14fd12ab762116dbee0b5
...by once and for all making all of the code deal appropriately with
expected partial reads. We also now produce a properly conformant
underlying 'tar' EOF sequence [which will be compressed to almost
nothing] to doubly bulletproof the end-of-archive logic.
Fixes bug 5133658
Change-Id: I24a785574861d64ef10fc727b9f6b235575696b0
There was a hole where if no backup pw was supplied and the current
pw authentication field was also left blank, it wound up not verifying
and just proceeding with the backup.
Change-Id: I857d8e83cbb2b3bf6b6b04848c5696ef0cf393a1
The old version of this code would silently truncate odd-length
Signatures. However, this masks some bugs. Add a throw of
IllegalArgumentException so users can easily see where they're getting
bad input for Signatures.
Also, go through the existing code and catch this exception or
pre-check the input strings so system_server doesn't crash later.
Bug: 5092338
Change-Id: I8c672c5eaeb738a92c4581ce0df09baf719980ef
Specifically, we now also require the current password to confirm any
restore operation.
Bug 4901637
Change-Id: I39ecce7837f70cd05778cb7e0e6390ad8f6fe3f3
If the user has supplied a backup password in Settings, that password
is validated during the full backup process and is used as an encryption
key for encoding the backed-up data itself. This is the fundamental
mechanism whereby users can secure their data even against malicious
parties getting physical unlocked access to their device.
Technically the user-supplied password is not used as the encryption
key for the backed-up data itself. What is actually done is that a
random key is generated to use as the raw encryption key. THAT key,
in turn, is encrypted with the user-supplied password (after random
salting and key expansion with PBKDF2). The encrypted master key
and a checksum are stored in the backup header. At restore time,
the user supplies their password, which allows the system to decrypt
the master key, which in turn allows the decryption of the backup
data itself.
The checksum is part of the archive in order to permit validation
of the user-supplied password. The checksum is the result of running
the user-supplied password through PBKDF2 with a randomly selected
salt. At restore time, the proposed password is run through PBKDF2
with the salt described by the archive header. If the result does
not match the archive's stated checksum, then the user has supplied
the wrong decryption password.
Also, suppress backup consideration for a few packages whose
data is either nonexistent or inapplicable across devices or
factory reset operations.
Bug 4901637
Change-Id: Id0cc9d0fdfc046602b129f273d48e23b7a14df36
The backup format now includes a stream header. That header begins with
a magic string and version number, then includes a flag stating whether
the archive data is compressed, and then in the case of encrypted archives
states the password salt used during encryption key stretching.
When compression is used, everything following the header is run through
a standard zlib "deflate" compressor before being sent downstream.
Change-Id: Ica72753e4ef2c3d13e63b45e7722a00652940a55
Zlib compression, with a full flush between each application's
data. Encryption will be performed on the already-compressed data
once that's implemented.
On restore, the streamed data is similarly uncompressed on the fly.
Change-Id: I19b65c88e759a66527d10913d18fffa9df0bc011
Adds the ability to filter a restore of an historical dataset so that it
only restores certain apps' data regardless of what is actually present
in the dataset. This is currently only used by the bmgr command-line tool,
for debugging / developer support.
Bug 2021590
Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
New methods for full backup/restore have been added to BackupAgent
(still hidden): onFullBackup() and onRestoreFile(). The former is the
entry point for a full app backup to adb/socket/etc: the app then writes
all of its files, entire, to the output. During restore, the latter
new callback is invoked, once for each file being restored.
The full backup/restore interface does not use the previously-defined
BackupDataInput / BackupDataOutput classes, because those classes
provide an API designed for incremental key/value data structuring.
Instead, a new FullBackupDataOutput class has been introduced, through
which we restrict apps' abilities to write data during a full backup
operation to *only* writing entire on-disk files via a new BackupAgent
method called fullBackupFile().
"FullBackupAgent" exists now solely as a concrete shell class that
can be instantiated in the case of apps that do not have their own
BackupAgent implementations.
Along with the API change, responsibility for backing up the .apk
file and OBB container has been moved into the framework rather than
have the application side of the transaction do it.
Change-Id: I12849b06b1a6e4c44d080587c1e9828a52b70dae
Don't emit tar blocks for directories with an invalid nonzero size. Also, if
such an entry is encountered during restore, don't actually attempt to treat
it as valid and thus skip over the next actual tar entry.
This patch also adds tracking of the data actually consumed during restore,
and reports a total at the end of stream.
Change-Id: I625173f76df3c007e899209101ff2b587841f184
Every available shared-storage volume is backed up, tagged with its
ordinal in the set of mounted shared volumes. This is an approximation
of "internal + the external card". This lets us restore things to the
same volume [or "equivalent" volume, in the case of a cross-model
restore] as they originated on.
Also fixed a bug in the handling of files/dirs with spaces in
their names.
Change-Id: I380019da8d0bb5b3699bd7c11eeff621a88e78c3
Packages with this manifest attribute set 'false' will not be backed
up even through the "full device backup" infrastructure. If someone
produces an apparent restore file with data for such an application,
it will not actually be restored onto the device.
When an apk is installed during the course of a restore operation,
it is validated against the manifest contents and deleted if there
is a mismatch. Also, if the newly-installed app is found to
disallow backups, no file content will be processed for that app.
Bug 4532159
Change-Id: I59630054584b1394e567de939192e22e597044ee
Usage: adb restore [tarfilename]
Restores app data [and installs the apps if necessary from the backup
file] captured in a previous invocation of 'adb backup'. The user
must explicitly acknowledge the action on-device before it is allowed
to proceed; this prevents any "invisible" pushes of content from the
host to the device.
Known issues:
* The settings databases and wallpaper are saved/restored, but lots
of other system state is not yet captured in the full backup. This
means that for practical purposes this is usable for 3rd party
apps at present but not for full-system cloning/imaging.
Change-Id: I0c748b645845e7c9178e30bf142857861a64efd3
