On restore now, the backup manager gets the signature blocks corresponding to
the restore set from the transport. It then validates those signatures against
the on-device app signatures, and refuses to restore data to an app whose
on-device sig block does not match the backup image's.
Also actually implement 'bmgr transport N' so that we can select the local
transport easily during runtime.
Merge commit '167dbe0bf1f8d807d1ced400f146b7780eb6c721'
* commit '167dbe0bf1f8d807d1ced400f146b7780eb6c721':
Update RandomBlock to use RandomAccessFile. This helps
* changes:
Update RandomBlock to use RandomAccessFile. This helps prevent certain unusual conditions from corrupting the entropy file. (for example, if Android should happen to crash while a write is in progress)
Merge commit '07eac016446c63711bebe6e553e98c02d1fe55a5'
* commit '07eac016446c63711bebe6e553e98c02d1fe55a5':
Store the app signatures as part of the backup set
Under a pseudo-app for the Package Manager, we store the app signatures for all
participating applications installed on the device. At restore time we will
restore this first, then ensure that the current on-device signature chain is
compatible with the one in the backup set. If there's a mismatch, this may be a
spoof attempt and we will refuse to restore that app's data.
The restore side of this is not implemented, but the Package Manager agent is
here as well as the backup side theoretically pushing the data now.
Merge commit '5ad76ef5ee1b437b4c07ed0be78ec7cc16c81dfe'
* commit '5ad76ef5ee1b437b4c07ed0be78ec7cc16c81dfe':
load entropy data at boot. Periodically write entropy data to disk.
Merge commit 'c14b9ccdf13163cae5ce5d21bcf377010b37594b'
* commit 'c14b9ccdf13163cae5ce5d21bcf377010b37594b':
Extend Intent/Uri conversion for use by Browser
Merge commit '3c2f8e6651178742bc685e7bd62fa8a6ca409a74'
* commit '3c2f8e6651178742bc685e7bd62fa8a6ca409a74':
Replace the stub GoogleTransport with callout to the
This introduces a new Uri form of Intent with an "intent:" scheme, and a
corresponding update to the parser to handle these, so that the browser
can use this generic facility for starting activities based on the links
that are clicked and allow for web pages to link to arbitrary intents.
There is also a new "package" field on Intent which allows you to limit
the components it finds to a given package. This replaces the new method
that was added to PackageManger for doing this when resolving activities,
and implements it for all Intent queries against the package manager.
We now only increment the launch count when we are launching from one package
to another. Also the individual components in a package now have a count
of the number of times they have been entered, which likewise is only updated
when going to one component from another.
This requires a new data format (all old data is wiped) and new checkin
dump format (tools must be updated to read it).
Merge commit '07ca8c71f47ac8c61b3aef0210e44d2c48e62e48'
* commit '07ca8c71f47ac8c61b3aef0210e44d2c48e62e48':
Fix many of the ANRs introduced by scheduling classes.
Merge commit 'aa088447baadd2e0bbcfd18cc529645610c13ddc'
* commit 'aa088447baadd2e0bbcfd18cc529645610c13ddc':
Hold the current transport instantiated all the time.
Create a new public IntentSender class that can be used by PackageManager instead.
This new class uses IIntentSender internally and can only be created by PendingIntent for now.
Provide a new getIntentSender api in PendingIntent to create an instance of this class.
Move IIntentSender and IIntentReceiver from android.app to android.content
Change imports of IIntentSender and IIntentReceiver to reflect the new package name
The PackageManager api has been named as freeStorageWithIntent and will be renamed as freeStorage
once the older api(which has been deprecated) will be removed shortly.
Merge commit '63d2700036d0f73cbde27f0fa724d30045b4bb07'
* commit '63d2700036d0f73cbde27f0fa724d30045b4bb07':
Allow privileged callers to schedule a backup pass for any app.
We weren't bumping the oom_adj of processes receiving a registered broadcast. Previously
this wasn't a problem, because those processes are allowed to have their oom_adj
managed by whatever else is in them and if the registered receiver goes away no problem.
But now this is also controlling the scheduling class, so we need to bump them up.
This is probably good anyway, since the developer has the same assurance of their process
not being killing in the middle of registered receivers like it had always been for
manifest receivers.
Also fixed a small issue where we were not recomputing the oom_adh after finished with
a broadcast.
We no longer instantiate the transport just for the duration of handling a
backup or restore operation. Instead, we hold the object forever (replacing it
if instructed to do so). This makes it easier for transports to watch system
state and help set backup timing policy.
Also fixes up the IBackupTransport documentation a bit.
The 'list sets' and 'restore token#' commands from bmgr now do what they are
supposed to. At this point we see the restore target's data being cleared
properly and its agent being launched and invoked for restore.
This also includes some changes to the window manager permission checks. Almost all of these
are to make it most testable (through an exception on a permission failure), though there is
one permission check that needed to be added: updateOrientationFromAppTokens().
Merge commit '2fdd428e0f18384160f7c38ce3a2cd9ba7e7b2c2'
* commit '2fdd428e0f18384160f7c38ce3a2cd9ba7e7b2c2':
Fix some backup reader/writer issues; make local transport do backup
Fix the jni initializer.
Add RestoreFileHelper, BackupDataInput, and add java wrappers for the methods on BackupDataOutput.
Fix bug #1812041: activity manager crash with bad args.
Journal backup requests so that they won't be lost in a crash
Fix data connection issues.
There was old code that would kill the system process in some cases when there
was a bad activity token. This is really no longer used, except in a few
places where it allows apps to kill the system. So just get rid of it and
make the world a better place.
When an application requests a backup via dataChanged(), we now journal that
fact on disk. The journal persists and is only removed following a successful
backup pass. When the backup manager is started at boot time, it looks for any
existing journal files and schedules a backup for the apps listed in them, on
the expectation that the device shut down or crashed before a backup could be
performed.
Merge commit '9bbc21a773cbdfbef2876a75c32bda5839647751'
* commit '9bbc21a773cbdfbef2876a75c32bda5839647751':
Flesh out restore interface on manager; work up most of LocalTransport
