| 02d4e3441bc1bf767d0ed57b81bdfa59d2894cb6 |
|
11-Mar-2017 |
Jeff Sharkey <jsharkey@android.com> |
Move PackageInstaller over to AppFuse.
When PackageInstaller was originally written, we needed a way to
ensure that untrusted apps were fully hands-off of any opened
FileDescriptors before we could proceed with certificate checks.
The best way to satisfy this security constraint was to build
a utility called FileBridge which was a (terribly slow) RPC
mechanism that could be cut off when needed.
However, a new feature called "AppFuse" offers to create a "proxy"
FileDescriptor which relays file operations back into userspace, and
it's much more performant than FileBridge. (Local benchmark tests
that deliver a 64MB APK show that AppFuse is about 45% faster than
FileBridge.) Because userspace is still involved in every operation,
we can still "revoke" access at any time to deliver on our security
requirements.
This change adds support for AppFuse, while keeping around FileBridge
as the default for now. An upcoming flag-flip CL can be used to
easily switch between the two modes.
Test: builds, boots, benchmarking, stress tests
Bug: 35728404, 31332379, 25510838
Change-Id: I2a70c0ca922a5ba468ffdef7b2fd8ab79f7cfefd
/frameworks/base/core/java/android/os/FileBridge.java
|
| 77d218e1869e69c8d436b09cd11dcfe45e50b2cf |
|
06-Sep-2014 |
Jeff Sharkey <jsharkey@android.com> |
Delayed ASEC allocation, refine progress handling.
For restore use-case, session creation needs to complete quickly, so
delay ASEC allocation until session is opened. When preflighting
size checks, only consider external when we have a known size for the
container. Also relax size checks when using MODE_INHERIT_EXISTING
on external, since we don't know how much of existing app will be
copied over.
Consider session as "active" while commit is ongoing, until we're
either finished or pending user interaction.
Always publish first client needle movement away from 0. Use 25% of
internal progress to reflect ASEC allocation.
Avoid CloseGuard messages about leaking PFDs.
Bug: 17405741, 17402982
Change-Id: I6247a1d335d26621549c701c4c4575a8d16ef8c2
/frameworks/base/core/java/android/os/FileBridge.java
|
| 73a821780334bc7972bca28d848cbce70cc3f825 |
|
29-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
Keep tests building.
Bug: 17183379
Change-Id: I7f52af3201975e8c626a6c6d7f508fd8d006b204
/frameworks/base/core/java/android/os/FileBridge.java
|
| 9a1507aa10577badabcbe00396613a967302e456 |
|
29-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
FileBridge needs to keep strong reference to PFD.
Even though we've grabbed the underlying FD, the PFD could be GC'ed
and when finalized it would end up closing the underlying FD. This
fix ties the PFD object lifecycle to the returned OutputStream.
Bug: 17183379
Change-Id: Ibee8f4cf78fee357181a250d15f2a653294b2877
/frameworks/base/core/java/android/os/FileBridge.java
|
| d3ca9917003a5e0650b559d58cf1eacf3b52bf34 |
|
26-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
Report FileBridge failures as wtf().
Bug: 17183379
Change-Id: Ifd4dc690c04439e1f7abebd8e0ca4e1ff97d9cc8
/frameworks/base/core/java/android/os/FileBridge.java
|
| 5f1ed727e27cc00267539974372f062104052f56 |
|
22-Aug-2014 |
Jeff Sharkey <jsharkey@android.com> |
Guard against EOF when reading in FileBridge.
Bug: 17183379
Change-Id: I8856fc149915281093f83f46bad64f211d134322
/frameworks/base/core/java/android/os/FileBridge.java
|
| a10311434778ea1be1621c2251c0c8c2966f337b |
|
13-Jul-2014 |
Jeff Sharkey <jsharkey@android.com> |
Package installation listener events.
Flesh out implementation of install session observers. Carve out 20%
of published install progress for final system operations such as
dexopt, etc.
Add dumpsys output for active install sessions. Create explicit
fsync() instead of overriding meaning of flush(). Hack to throw
IOExceptions over Binder calls.
Bug: 14975160, 15348430
Change-Id: I874457e40c45d2661bc0a526df9285ffea4bb77c
/frameworks/base/core/java/android/os/FileBridge.java
|
| ec55ef0934b8e0d1bb705434947de817f7be57f1 |
|
08-Jul-2014 |
Jeff Sharkey <jsharkey@android.com> |
Extend pm to support sessions and split APKs.
Separate commands to create an install session, stream files into the
staging area, and then commit the install. Streaming can accept data
from stdin across adb, avoiding extra copy from push.
Extend FileBridge to support blocking close(). Always destroy
session regardless of result.
Bug: 14975160
Change-Id: Ic3f462e7d1901079b785e210228950cdfa676466
/frameworks/base/core/java/android/os/FileBridge.java
|
| 78cc340c2de873d6995c283b777476f7237d690f |
|
22-May-2014 |
Jeff Sharkey <jsharkey@android.com> |
Offer to stream and fsync() install sessions.
Installers are interested in both streaming APK data and establishing
a happens-after relationship to support resuming downloads after a
process kill or battery pull.
This exposes a generic OutputStream for writing, and hooks up flush()
to be a blocking call which returns only when all outstanding write()
data has been fsync()'ed to disk.
Tests to verify behavior.
Bug: 14975160
Change-Id: I38289867c80ac659163bb0c2158ef12d99cc570d
/frameworks/base/core/java/android/os/FileBridge.java
|