02d4e3441bc1bf767d0ed57b81bdfa59d2894cb6 |
|
11-Mar-2017 |
Jeff Sharkey <jsharkey@android.com> |
Move PackageInstaller over to AppFuse. When PackageInstaller was originally written, we needed a way to ensure that untrusted apps were fully hands-off of any opened FileDescriptors before we could proceed with certificate checks. The best way to satisfy this security constraint was to build a utility called FileBridge which was a (terribly slow) RPC mechanism that could be cut off when needed. However, a new feature called "AppFuse" offers to create a "proxy" FileDescriptor which relays file operations back into userspace, and it's much more performant than FileBridge. (Local benchmark tests that deliver a 64MB APK show that AppFuse is about 45% faster than FileBridge.) Because userspace is still involved in every operation, we can still "revoke" access at any time to deliver on our security requirements. This change adds support for AppFuse, while keeping around FileBridge as the default for now. An upcoming flag-flip CL can be used to easily switch between the two modes. Test: builds, boots, benchmarking, stress tests Bug: 35728404, 31332379, 25510838 Change-Id: I2a70c0ca922a5ba468ffdef7b2fd8ab79f7cfefd
/frameworks/base/core/java/android/os/FileBridge.java
|
77d218e1869e69c8d436b09cd11dcfe45e50b2cf |
|
06-Sep-2014 |
Jeff Sharkey <jsharkey@android.com> |
Delayed ASEC allocation, refine progress handling. For restore use-case, session creation needs to complete quickly, so delay ASEC allocation until session is opened. When preflighting size checks, only consider external when we have a known size for the container. Also relax size checks when using MODE_INHERIT_EXISTING on external, since we don't know how much of existing app will be copied over. Consider session as "active" while commit is ongoing, until we're either finished or pending user interaction. Always publish first client needle movement away from 0. Use 25% of internal progress to reflect ASEC allocation. Avoid CloseGuard messages about leaking PFDs. Bug: 17405741, 17402982 Change-Id: I6247a1d335d26621549c701c4c4575a8d16ef8c2
/frameworks/base/core/java/android/os/FileBridge.java
|
73a821780334bc7972bca28d848cbce70cc3f825 |
|
29-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
Keep tests building. Bug: 17183379 Change-Id: I7f52af3201975e8c626a6c6d7f508fd8d006b204
/frameworks/base/core/java/android/os/FileBridge.java
|
9a1507aa10577badabcbe00396613a967302e456 |
|
29-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
FileBridge needs to keep strong reference to PFD. Even though we've grabbed the underlying FD, the PFD could be GC'ed and when finalized it would end up closing the underlying FD. This fix ties the PFD object lifecycle to the returned OutputStream. Bug: 17183379 Change-Id: Ibee8f4cf78fee357181a250d15f2a653294b2877
/frameworks/base/core/java/android/os/FileBridge.java
|
d3ca9917003a5e0650b559d58cf1eacf3b52bf34 |
|
26-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
Report FileBridge failures as wtf(). Bug: 17183379 Change-Id: Ifd4dc690c04439e1f7abebd8e0ca4e1ff97d9cc8
/frameworks/base/core/java/android/os/FileBridge.java
|
5f1ed727e27cc00267539974372f062104052f56 |
|
22-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
Guard against EOF when reading in FileBridge. Bug: 17183379 Change-Id: I8856fc149915281093f83f46bad64f211d134322
/frameworks/base/core/java/android/os/FileBridge.java
|
a10311434778ea1be1621c2251c0c8c2966f337b |
|
13-Jul-2014 |
Jeff Sharkey <jsharkey@android.com> |
Package installation listener events. Flesh out implementation of install session observers. Carve out 20% of published install progress for final system operations such as dexopt, etc. Add dumpsys output for active install sessions. Create explicit fsync() instead of overriding meaning of flush(). Hack to throw IOExceptions over Binder calls. Bug: 14975160, 15348430 Change-Id: I874457e40c45d2661bc0a526df9285ffea4bb77c
/frameworks/base/core/java/android/os/FileBridge.java
|
ec55ef0934b8e0d1bb705434947de817f7be57f1 |
|
08-Jul-2014 |
Jeff Sharkey <jsharkey@android.com> |
Extend pm to support sessions and split APKs. Separate commands to create an install session, stream files into the staging area, and then commit the install. Streaming can accept data from stdin across adb, avoiding extra copy from push. Extend FileBridge to support blocking close(). Always destroy session regardless of result. Bug: 14975160 Change-Id: Ic3f462e7d1901079b785e210228950cdfa676466
/frameworks/base/core/java/android/os/FileBridge.java
|
78cc340c2de873d6995c283b777476f7237d690f |
|
22-May-2014 |
Jeff Sharkey <jsharkey@android.com> |
Offer to stream and fsync() install sessions. Installers are interested in both streaming APK data and establishing a happens-after relationship to support resuming downloads after a process kill or battery pull. This exposes a generic OutputStream for writing, and hooks up flush() to be a blocking call which returns only when all outstanding write() data has been fsync()'ed to disk. Tests to verify behavior. Bug: 14975160 Change-Id: I38289867c80ac659163bb0c2158ef12d99cc570d
/frameworks/base/core/java/android/os/FileBridge.java
|