1// 2// Copyright (C) 2014 The Android Open Source Project 3// 4// Licensed under the Apache License, Version 2.0 (the "License"); 5// you may not use this file except in compliance with the License. 6// You may obtain a copy of the License at 7// 8// http://www.apache.org/licenses/LICENSE-2.0 9// 10// Unless required by applicable law or agreed to in writing, software 11// distributed under the License is distributed on an "AS IS" BASIS, 12// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13// See the License for the specific language governing permissions and 14// limitations under the License. 15// 16 17#include "update_engine/update_manager/chromeos_policy.h" 18 19#include <algorithm> 20#include <set> 21#include <string> 22 23#include <base/logging.h> 24#include <base/strings/string_util.h> 25#include <base/time/time.h> 26 27#include "update_engine/common/error_code.h" 28#include "update_engine/common/error_code_utils.h" 29#include "update_engine/common/utils.h" 30#include "update_engine/update_manager/device_policy_provider.h" 31#include "update_engine/update_manager/policy_utils.h" 32#include "update_engine/update_manager/shill_provider.h" 33 34using base::Time; 35using base::TimeDelta; 36using chromeos_update_engine::ConnectionTethering; 37using chromeos_update_engine::ConnectionType; 38using chromeos_update_engine::ErrorCode; 39using std::get; 40using std::max; 41using std::min; 42using std::set; 43using std::string; 44 45namespace { 46 47// Examines |err_code| and decides whether the URL index needs to be advanced, 48// the error count for the URL incremented, or none of the above. In the first 49// case, returns true; in the second case, increments |*url_num_error_p| and 50// returns false; otherwise just returns false. 51// 52// TODO(garnold) Adapted from PayloadState::UpdateFailed() (to be retired). 53bool HandleErrorCode(ErrorCode err_code, int* url_num_error_p) { 54 err_code = chromeos_update_engine::utils::GetBaseErrorCode(err_code); 55 switch (err_code) { 56 // Errors which are good indicators of a problem with a particular URL or 57 // the protocol used in the URL or entities in the communication channel 58 // (e.g. proxies). We should try the next available URL in the next update 59 // check to quickly recover from these errors. 60 case ErrorCode::kPayloadHashMismatchError: 61 case ErrorCode::kPayloadSizeMismatchError: 62 case ErrorCode::kDownloadPayloadVerificationError: 63 case ErrorCode::kDownloadPayloadPubKeyVerificationError: 64 case ErrorCode::kSignedDeltaPayloadExpectedError: 65 case ErrorCode::kDownloadInvalidMetadataMagicString: 66 case ErrorCode::kDownloadSignatureMissingInManifest: 67 case ErrorCode::kDownloadManifestParseError: 68 case ErrorCode::kDownloadMetadataSignatureError: 69 case ErrorCode::kDownloadMetadataSignatureVerificationError: 70 case ErrorCode::kDownloadMetadataSignatureMismatch: 71 case ErrorCode::kDownloadOperationHashVerificationError: 72 case ErrorCode::kDownloadOperationExecutionError: 73 case ErrorCode::kDownloadOperationHashMismatch: 74 case ErrorCode::kDownloadInvalidMetadataSize: 75 case ErrorCode::kDownloadInvalidMetadataSignature: 76 case ErrorCode::kDownloadOperationHashMissingError: 77 case ErrorCode::kDownloadMetadataSignatureMissingError: 78 case ErrorCode::kPayloadMismatchedType: 79 case ErrorCode::kUnsupportedMajorPayloadVersion: 80 case ErrorCode::kUnsupportedMinorPayloadVersion: 81 LOG(INFO) << "Advancing download URL due to error " 82 << chromeos_update_engine::utils::ErrorCodeToString(err_code) 83 << " (" << static_cast<int>(err_code) << ")"; 84 return true; 85 86 // Errors which seem to be just transient network/communication related 87 // failures and do not indicate any inherent problem with the URL itself. 88 // So, we should keep the current URL but just increment the 89 // failure count to give it more chances. This way, while we maximize our 90 // chances of downloading from the URLs that appear earlier in the response 91 // (because download from a local server URL that appears earlier in a 92 // response is preferable than downloading from the next URL which could be 93 // an Internet URL and thus could be more expensive). 94 case ErrorCode::kError: 95 case ErrorCode::kDownloadTransferError: 96 case ErrorCode::kDownloadWriteError: 97 case ErrorCode::kDownloadStateInitializationError: 98 case ErrorCode::kOmahaErrorInHTTPResponse: // Aggregate for HTTP errors. 99 LOG(INFO) << "Incrementing URL failure count due to error " 100 << chromeos_update_engine::utils::ErrorCodeToString(err_code) 101 << " (" << static_cast<int>(err_code) << ")"; 102 *url_num_error_p += 1; 103 return false; 104 105 // Errors which are not specific to a URL and hence shouldn't result in 106 // the URL being penalized. This can happen in two cases: 107 // 1. We haven't started downloading anything: These errors don't cost us 108 // anything in terms of actual payload bytes, so we should just do the 109 // regular retries at the next update check. 110 // 2. We have successfully downloaded the payload: In this case, the 111 // payload attempt number would have been incremented and would take care 112 // of the back-off at the next update check. 113 // In either case, there's no need to update URL index or failure count. 114 case ErrorCode::kOmahaRequestError: 115 case ErrorCode::kOmahaResponseHandlerError: 116 case ErrorCode::kPostinstallRunnerError: 117 case ErrorCode::kFilesystemCopierError: 118 case ErrorCode::kInstallDeviceOpenError: 119 case ErrorCode::kKernelDeviceOpenError: 120 case ErrorCode::kDownloadNewPartitionInfoError: 121 case ErrorCode::kNewRootfsVerificationError: 122 case ErrorCode::kNewKernelVerificationError: 123 case ErrorCode::kPostinstallBootedFromFirmwareB: 124 case ErrorCode::kPostinstallFirmwareRONotUpdatable: 125 case ErrorCode::kOmahaRequestEmptyResponseError: 126 case ErrorCode::kOmahaRequestXMLParseError: 127 case ErrorCode::kOmahaResponseInvalid: 128 case ErrorCode::kOmahaUpdateIgnoredPerPolicy: 129 case ErrorCode::kOmahaUpdateDeferredPerPolicy: 130 case ErrorCode::kNonCriticalUpdateInOOBE: 131 case ErrorCode::kOmahaUpdateDeferredForBackoff: 132 case ErrorCode::kPostinstallPowerwashError: 133 case ErrorCode::kUpdateCanceledByChannelChange: 134 case ErrorCode::kOmahaRequestXMLHasEntityDecl: 135 case ErrorCode::kFilesystemVerifierError: 136 case ErrorCode::kUserCanceled: 137 LOG(INFO) << "Not changing URL index or failure count due to error " 138 << chromeos_update_engine::utils::ErrorCodeToString(err_code) 139 << " (" << static_cast<int>(err_code) << ")"; 140 return false; 141 142 case ErrorCode::kSuccess: // success code 143 case ErrorCode::kUmaReportedMax: // not an error code 144 case ErrorCode::kOmahaRequestHTTPResponseBase: // aggregated already 145 case ErrorCode::kDevModeFlag: // not an error code 146 case ErrorCode::kResumedFlag: // not an error code 147 case ErrorCode::kTestImageFlag: // not an error code 148 case ErrorCode::kTestOmahaUrlFlag: // not an error code 149 case ErrorCode::kSpecialFlags: // not an error code 150 // These shouldn't happen. Enumerating these explicitly here so that we 151 // can let the compiler warn about new error codes that are added to 152 // action_processor.h but not added here. 153 LOG(WARNING) << "Unexpected error " 154 << chromeos_update_engine::utils::ErrorCodeToString(err_code) 155 << " (" << static_cast<int>(err_code) << ")"; 156 // Note: Not adding a default here so as to let the compiler warn us of 157 // any new enums that were added in the .h but not listed in this switch. 158 } 159 return false; 160} 161 162// Checks whether |url| can be used under given download restrictions. 163bool IsUrlUsable(const string& url, bool http_allowed) { 164 return http_allowed || 165 !base::StartsWith(url, "http://", 166 base::CompareCase::INSENSITIVE_ASCII); 167} 168 169} // namespace 170 171namespace chromeos_update_manager { 172 173const int ChromeOSPolicy::kTimeoutInitialInterval = 7 * 60; 174 175// TODO(deymo): Split the update_manager policies for Brillo and ChromeOS and 176// make the update check periodic interval configurable. 177#ifdef __ANDROID__ 178const int ChromeOSPolicy::kTimeoutPeriodicInterval = 5 * 60 * 60; 179const int ChromeOSPolicy::kTimeoutMaxBackoffInterval = 26 * 60 * 60; 180#else 181const int ChromeOSPolicy::kTimeoutPeriodicInterval = 45 * 60; 182const int ChromeOSPolicy::kTimeoutMaxBackoffInterval = 4 * 60 * 60; 183#endif // __ANDROID__ 184 185const int ChromeOSPolicy::kTimeoutRegularFuzz = 10 * 60; 186const int ChromeOSPolicy::kAttemptBackoffMaxIntervalInDays = 16; 187const int ChromeOSPolicy::kAttemptBackoffFuzzInHours = 12; 188const int ChromeOSPolicy::kMaxP2PAttempts = 10; 189const int ChromeOSPolicy::kMaxP2PAttemptsPeriodInSeconds = 5 * 24 * 60 * 60; 190 191EvalStatus ChromeOSPolicy::UpdateCheckAllowed( 192 EvaluationContext* ec, State* state, string* error, 193 UpdateCheckParams* result) const { 194 // Set the default return values. 195 result->updates_enabled = true; 196 result->target_channel.clear(); 197 result->target_version_prefix.clear(); 198 result->is_interactive = false; 199 200 DevicePolicyProvider* const dp_provider = state->device_policy_provider(); 201 UpdaterProvider* const updater_provider = state->updater_provider(); 202 SystemProvider* const system_provider = state->system_provider(); 203 204 // Do not perform any updates if booted from removable device. This decision 205 // is final. 206 const unsigned int* num_slots_p = ec->GetValue( 207 system_provider->var_num_slots()); 208 if (!num_slots_p || *num_slots_p < 2) { 209 LOG(INFO) << "Not enough slots for A/B updates, disabling update checks."; 210 result->updates_enabled = false; 211 return EvalStatus::kSucceeded; 212 } 213 214 const bool* device_policy_is_loaded_p = ec->GetValue( 215 dp_provider->var_device_policy_is_loaded()); 216 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { 217 bool kiosk_app_control_chrome_version = false; 218 219 // Check whether updates are disabled by policy. 220 const bool* update_disabled_p = ec->GetValue( 221 dp_provider->var_update_disabled()); 222 if (update_disabled_p && *update_disabled_p) { 223 // Check whether allow kiosk app to control chrome version policy. This 224 // policy is only effective when AU is disabled by admin. 225 const bool* allow_kiosk_app_control_chrome_version_p = ec->GetValue( 226 dp_provider->var_allow_kiosk_app_control_chrome_version()); 227 kiosk_app_control_chrome_version = 228 allow_kiosk_app_control_chrome_version_p && 229 *allow_kiosk_app_control_chrome_version_p; 230 if (!kiosk_app_control_chrome_version) { 231 // No kiosk pin chrome version policy. AU is really disabled. 232 LOG(INFO) << "Updates disabled by policy, blocking update checks."; 233 return EvalStatus::kAskMeAgainLater; 234 } 235 } 236 237 if (kiosk_app_control_chrome_version) { 238 // Get the required platform version from Chrome. 239 const string* kiosk_required_platform_version_p = 240 ec->GetValue(system_provider->var_kiosk_required_platform_version()); 241 if (!kiosk_required_platform_version_p) { 242 LOG(INFO) << "Kiosk app required platform version is not fetched, " 243 "blocking update checks"; 244 return EvalStatus::kAskMeAgainLater; 245 } 246 247 result->target_version_prefix = *kiosk_required_platform_version_p; 248 LOG(INFO) << "Allow kiosk app to control Chrome version policy is set," 249 << ", target version is " 250 << (kiosk_required_platform_version_p 251 ? *kiosk_required_platform_version_p 252 : std::string("latest")); 253 } else { 254 // Determine whether a target version prefix is dictated by policy. 255 const string* target_version_prefix_p = ec->GetValue( 256 dp_provider->var_target_version_prefix()); 257 if (target_version_prefix_p) 258 result->target_version_prefix = *target_version_prefix_p; 259 } 260 261 // Determine whether a target channel is dictated by policy. 262 const bool* release_channel_delegated_p = ec->GetValue( 263 dp_provider->var_release_channel_delegated()); 264 if (release_channel_delegated_p && !(*release_channel_delegated_p)) { 265 const string* release_channel_p = ec->GetValue( 266 dp_provider->var_release_channel()); 267 if (release_channel_p) 268 result->target_channel = *release_channel_p; 269 } 270 } 271 272 // First, check to see if an interactive update was requested. 273 const UpdateRequestStatus* forced_update_requested_p = ec->GetValue( 274 updater_provider->var_forced_update_requested()); 275 if (forced_update_requested_p && 276 *forced_update_requested_p != UpdateRequestStatus::kNone) { 277 result->is_interactive = 278 (*forced_update_requested_p == UpdateRequestStatus::kInteractive); 279 LOG(INFO) << "Forced update signaled (" 280 << (result->is_interactive ? "interactive" : "periodic") 281 << "), allowing update check."; 282 return EvalStatus::kSucceeded; 283 } 284 285 // The logic thereafter applies to periodic updates. Bear in mind that we 286 // should not return a final "no" if any of these criteria are not satisfied, 287 // because the system may still update due to an interactive update request. 288 289 // Unofficial builds should not perform periodic update checks. 290 const bool* is_official_build_p = ec->GetValue( 291 system_provider->var_is_official_build()); 292 if (is_official_build_p && !(*is_official_build_p)) { 293 LOG(INFO) << "Unofficial build, blocking periodic update checks."; 294 return EvalStatus::kAskMeAgainLater; 295 } 296 297 // If OOBE is enabled, wait until it is completed. 298 const bool* is_oobe_enabled_p = ec->GetValue( 299 state->config_provider()->var_is_oobe_enabled()); 300 if (is_oobe_enabled_p && *is_oobe_enabled_p) { 301 const bool* is_oobe_complete_p = ec->GetValue( 302 system_provider->var_is_oobe_complete()); 303 if (is_oobe_complete_p && !(*is_oobe_complete_p)) { 304 LOG(INFO) << "OOBE not completed, blocking update checks."; 305 return EvalStatus::kAskMeAgainLater; 306 } 307 } 308 309 // Ensure that periodic update checks are timed properly. 310 Time next_update_check; 311 if (NextUpdateCheckTime(ec, state, error, &next_update_check) != 312 EvalStatus::kSucceeded) { 313 return EvalStatus::kFailed; 314 } 315 if (!ec->IsWallclockTimeGreaterThan(next_update_check)) { 316 LOG(INFO) << "Periodic check interval not satisfied, blocking until " 317 << chromeos_update_engine::utils::ToString(next_update_check); 318 return EvalStatus::kAskMeAgainLater; 319 } 320 321 // It is time to check for an update. 322 LOG(INFO) << "Allowing update check."; 323 return EvalStatus::kSucceeded; 324} 325 326EvalStatus ChromeOSPolicy::UpdateCanStart( 327 EvaluationContext* ec, 328 State* state, 329 string* error, 330 UpdateDownloadParams* result, 331 const UpdateState update_state) const { 332 // Set the default return values. Note that we set persisted values (backoff, 333 // scattering) to the same values presented in the update state. The reason is 334 // that preemptive returns, such as the case where an update check is due, 335 // should not clear off the said values; rather, it is the deliberate 336 // inference of new values that should cause them to be reset. 337 result->update_can_start = false; 338 result->cannot_start_reason = UpdateCannotStartReason::kUndefined; 339 result->download_url_idx = -1; 340 result->download_url_allowed = true; 341 result->download_url_num_errors = 0; 342 result->p2p_downloading_allowed = false; 343 result->p2p_sharing_allowed = false; 344 result->do_increment_failures = false; 345 result->backoff_expiry = update_state.backoff_expiry; 346 result->scatter_wait_period = update_state.scatter_wait_period; 347 result->scatter_check_threshold = update_state.scatter_check_threshold; 348 349 // Make sure that we're not due for an update check. 350 UpdateCheckParams check_result; 351 EvalStatus check_status = UpdateCheckAllowed(ec, state, error, &check_result); 352 if (check_status == EvalStatus::kFailed) 353 return EvalStatus::kFailed; 354 bool is_check_due = (check_status == EvalStatus::kSucceeded && 355 check_result.updates_enabled == true); 356 357 // Check whether backoff applies, and if not then which URL can be used for 358 // downloading. These require scanning the download error log, and so they are 359 // done together. 360 UpdateBackoffAndDownloadUrlResult backoff_url_result; 361 EvalStatus backoff_url_status = UpdateBackoffAndDownloadUrl( 362 ec, state, error, &backoff_url_result, update_state); 363 if (backoff_url_status == EvalStatus::kFailed) 364 return EvalStatus::kFailed; 365 result->download_url_idx = backoff_url_result.url_idx; 366 result->download_url_num_errors = backoff_url_result.url_num_errors; 367 result->do_increment_failures = backoff_url_result.do_increment_failures; 368 result->backoff_expiry = backoff_url_result.backoff_expiry; 369 bool is_backoff_active = 370 (backoff_url_status == EvalStatus::kAskMeAgainLater) || 371 !backoff_url_result.backoff_expiry.is_null(); 372 373 DevicePolicyProvider* const dp_provider = state->device_policy_provider(); 374 bool is_scattering_active = false; 375 EvalStatus scattering_status = EvalStatus::kSucceeded; 376 377 const bool* device_policy_is_loaded_p = ec->GetValue( 378 dp_provider->var_device_policy_is_loaded()); 379 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { 380 // Check whether scattering applies to this update attempt. We should not be 381 // scattering if this is an interactive update check, or if OOBE is enabled 382 // but not completed. 383 // 384 // Note: current code further suppresses scattering if a "deadline" 385 // attribute is found in the Omaha response. However, it appears that the 386 // presence of this attribute is merely indicative of an OOBE update, during 387 // which we suppress scattering anyway. 388 bool is_scattering_applicable = false; 389 result->scatter_wait_period = kZeroInterval; 390 result->scatter_check_threshold = 0; 391 if (!update_state.is_interactive) { 392 const bool* is_oobe_enabled_p = ec->GetValue( 393 state->config_provider()->var_is_oobe_enabled()); 394 if (is_oobe_enabled_p && !(*is_oobe_enabled_p)) { 395 is_scattering_applicable = true; 396 } else { 397 const bool* is_oobe_complete_p = ec->GetValue( 398 state->system_provider()->var_is_oobe_complete()); 399 is_scattering_applicable = (is_oobe_complete_p && *is_oobe_complete_p); 400 } 401 } 402 403 // Compute scattering values. 404 if (is_scattering_applicable) { 405 UpdateScatteringResult scatter_result; 406 scattering_status = UpdateScattering(ec, state, error, &scatter_result, 407 update_state); 408 if (scattering_status == EvalStatus::kFailed) { 409 return EvalStatus::kFailed; 410 } else { 411 result->scatter_wait_period = scatter_result.wait_period; 412 result->scatter_check_threshold = scatter_result.check_threshold; 413 if (scattering_status == EvalStatus::kAskMeAgainLater || 414 scatter_result.is_scattering) 415 is_scattering_active = true; 416 } 417 } 418 } 419 420 // Find out whether P2P is globally enabled. 421 bool p2p_enabled; 422 EvalStatus p2p_enabled_status = P2PEnabled(ec, state, error, &p2p_enabled); 423 if (p2p_enabled_status != EvalStatus::kSucceeded) 424 return EvalStatus::kFailed; 425 426 // Is P2P is enabled, consider allowing it for downloading and/or sharing. 427 if (p2p_enabled) { 428 // Sharing via P2P is allowed if not disabled by Omaha. 429 if (update_state.p2p_sharing_disabled) { 430 LOG(INFO) << "Blocked P2P sharing because it is disabled by Omaha."; 431 } else { 432 result->p2p_sharing_allowed = true; 433 } 434 435 // Downloading via P2P is allowed if not disabled by Omaha, an update is not 436 // interactive, and other limits haven't been reached. 437 if (update_state.p2p_downloading_disabled) { 438 LOG(INFO) << "Blocked P2P downloading because it is disabled by Omaha."; 439 } else if (update_state.is_interactive) { 440 LOG(INFO) << "Blocked P2P downloading because update is interactive."; 441 } else if (update_state.p2p_num_attempts >= kMaxP2PAttempts) { 442 LOG(INFO) << "Blocked P2P downloading as it was attempted too many " 443 "times."; 444 } else if (!update_state.p2p_first_attempted.is_null() && 445 ec->IsWallclockTimeGreaterThan( 446 update_state.p2p_first_attempted + 447 TimeDelta::FromSeconds(kMaxP2PAttemptsPeriodInSeconds))) { 448 LOG(INFO) << "Blocked P2P downloading as its usage timespan exceeds " 449 "limit."; 450 } else { 451 // P2P download is allowed; if backoff or scattering are active, be sure 452 // to suppress them, yet prevent any download URL from being used. 453 result->p2p_downloading_allowed = true; 454 if (is_backoff_active || is_scattering_active) { 455 is_backoff_active = is_scattering_active = false; 456 result->download_url_allowed = false; 457 } 458 } 459 } 460 461 // Check for various deterrents. 462 if (is_check_due) { 463 result->cannot_start_reason = UpdateCannotStartReason::kCheckDue; 464 return EvalStatus::kSucceeded; 465 } 466 if (is_backoff_active) { 467 result->cannot_start_reason = UpdateCannotStartReason::kBackoff; 468 return backoff_url_status; 469 } 470 if (is_scattering_active) { 471 result->cannot_start_reason = UpdateCannotStartReason::kScattering; 472 return scattering_status; 473 } 474 if (result->download_url_idx < 0 && !result->p2p_downloading_allowed) { 475 result->cannot_start_reason = UpdateCannotStartReason::kCannotDownload; 476 return EvalStatus::kSucceeded; 477 } 478 479 // Update is good to go. 480 result->update_can_start = true; 481 return EvalStatus::kSucceeded; 482} 483 484// TODO(garnold) Logic in this method is based on 485// ConnectionManager::IsUpdateAllowedOver(); be sure to deprecate the latter. 486// 487// TODO(garnold) The current logic generally treats the list of allowed 488// connections coming from the device policy as a whitelist, meaning that it 489// can only be used for enabling connections, but not disable them. Further, 490// certain connection types (like Bluetooth) cannot be enabled even by policy. 491// In effect, the only thing that device policy can change is to enable 492// updates over a cellular network (disabled by default). We may want to 493// revisit this semantics, allowing greater flexibility in defining specific 494// permissions over all types of networks. 495EvalStatus ChromeOSPolicy::UpdateDownloadAllowed( 496 EvaluationContext* ec, 497 State* state, 498 string* error, 499 bool* result) const { 500 // Get the current connection type. 501 ShillProvider* const shill_provider = state->shill_provider(); 502 const ConnectionType* conn_type_p = ec->GetValue( 503 shill_provider->var_conn_type()); 504 POLICY_CHECK_VALUE_AND_FAIL(conn_type_p, error); 505 ConnectionType conn_type = *conn_type_p; 506 507 // If we're tethering, treat it as a cellular connection. 508 if (conn_type != ConnectionType::kCellular) { 509 const ConnectionTethering* conn_tethering_p = ec->GetValue( 510 shill_provider->var_conn_tethering()); 511 POLICY_CHECK_VALUE_AND_FAIL(conn_tethering_p, error); 512 if (*conn_tethering_p == ConnectionTethering::kConfirmed) 513 conn_type = ConnectionType::kCellular; 514 } 515 516 // By default, we allow updates for all connection types, with exceptions as 517 // noted below. This also determines whether a device policy can override the 518 // default. 519 *result = true; 520 bool device_policy_can_override = false; 521 switch (conn_type) { 522 case ConnectionType::kBluetooth: 523 *result = false; 524 break; 525 526 case ConnectionType::kCellular: 527 *result = false; 528 device_policy_can_override = true; 529 break; 530 531 case ConnectionType::kUnknown: 532 if (error) 533 *error = "Unknown connection type"; 534 return EvalStatus::kFailed; 535 536 default: 537 break; // Nothing to do. 538 } 539 540 // If update is allowed, we're done. 541 if (*result) 542 return EvalStatus::kSucceeded; 543 544 // Check whether the device policy specifically allows this connection. 545 if (device_policy_can_override) { 546 DevicePolicyProvider* const dp_provider = state->device_policy_provider(); 547 const bool* device_policy_is_loaded_p = ec->GetValue( 548 dp_provider->var_device_policy_is_loaded()); 549 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { 550 const set<ConnectionType>* allowed_conn_types_p = ec->GetValue( 551 dp_provider->var_allowed_connection_types_for_update()); 552 if (allowed_conn_types_p) { 553 if (allowed_conn_types_p->count(conn_type)) { 554 *result = true; 555 return EvalStatus::kSucceeded; 556 } 557 } else if (conn_type == ConnectionType::kCellular) { 558 // Local user settings can allow updates over cellular iff a policy was 559 // loaded but no allowed connections were specified in it. 560 const bool* update_over_cellular_allowed_p = ec->GetValue( 561 state->updater_provider()->var_cellular_enabled()); 562 if (update_over_cellular_allowed_p && *update_over_cellular_allowed_p) 563 *result = true; 564 } 565 } 566 } 567 568 return (*result ? EvalStatus::kSucceeded : EvalStatus::kAskMeAgainLater); 569} 570 571EvalStatus ChromeOSPolicy::P2PEnabled(EvaluationContext* ec, 572 State* state, 573 string* error, 574 bool* result) const { 575 bool enabled = false; 576 577 // Determine whether use of P2P is allowed by policy. Even if P2P is not 578 // explicitly allowed, we allow it if the device is enterprise enrolled (that 579 // is, missing or empty owner string). 580 DevicePolicyProvider* const dp_provider = state->device_policy_provider(); 581 const bool* device_policy_is_loaded_p = ec->GetValue( 582 dp_provider->var_device_policy_is_loaded()); 583 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { 584 const bool* policy_au_p2p_enabled_p = ec->GetValue( 585 dp_provider->var_au_p2p_enabled()); 586 if (policy_au_p2p_enabled_p) { 587 enabled = *policy_au_p2p_enabled_p; 588 } else { 589 const string* policy_owner_p = ec->GetValue(dp_provider->var_owner()); 590 if (!policy_owner_p || policy_owner_p->empty()) 591 enabled = true; 592 } 593 } 594 595 // Enable P2P, if so mandated by the updater configuration. This is additive 596 // to whether or not P2P is enabled by device policy. 597 if (!enabled) { 598 const bool* updater_p2p_enabled_p = ec->GetValue( 599 state->updater_provider()->var_p2p_enabled()); 600 enabled = updater_p2p_enabled_p && *updater_p2p_enabled_p; 601 } 602 603 *result = enabled; 604 return EvalStatus::kSucceeded; 605} 606 607EvalStatus ChromeOSPolicy::P2PEnabledChanged(EvaluationContext* ec, 608 State* state, 609 string* error, 610 bool* result, 611 bool prev_result) const { 612 EvalStatus status = P2PEnabled(ec, state, error, result); 613 if (status == EvalStatus::kSucceeded && *result == prev_result) 614 return EvalStatus::kAskMeAgainLater; 615 return status; 616} 617 618EvalStatus ChromeOSPolicy::NextUpdateCheckTime(EvaluationContext* ec, 619 State* state, string* error, 620 Time* next_update_check) const { 621 UpdaterProvider* const updater_provider = state->updater_provider(); 622 623 // Don't check for updates too often. We limit the update checks to once every 624 // some interval. The interval is kTimeoutInitialInterval the first time and 625 // kTimeoutPeriodicInterval for the subsequent update checks. If the update 626 // check fails, we increase the interval between the update checks 627 // exponentially until kTimeoutMaxBackoffInterval. Finally, to avoid having 628 // many chromebooks running update checks at the exact same time, we add some 629 // fuzz to the interval. 630 const Time* updater_started_time = 631 ec->GetValue(updater_provider->var_updater_started_time()); 632 POLICY_CHECK_VALUE_AND_FAIL(updater_started_time, error); 633 634 const Time* last_checked_time = 635 ec->GetValue(updater_provider->var_last_checked_time()); 636 637 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed()); 638 POLICY_CHECK_VALUE_AND_FAIL(seed, error); 639 640 PRNG prng(*seed); 641 642 // If this is the first attempt, compute and return an initial value. 643 if (!last_checked_time || *last_checked_time < *updater_started_time) { 644 *next_update_check = *updater_started_time + FuzzedInterval( 645 &prng, kTimeoutInitialInterval, kTimeoutRegularFuzz); 646 return EvalStatus::kSucceeded; 647 } 648 649 // Check whether the server is enforcing a poll interval; if not, this value 650 // will be zero. 651 const unsigned int* server_dictated_poll_interval = ec->GetValue( 652 updater_provider->var_server_dictated_poll_interval()); 653 POLICY_CHECK_VALUE_AND_FAIL(server_dictated_poll_interval, error); 654 655 int interval = *server_dictated_poll_interval; 656 int fuzz = 0; 657 658 // If no poll interval was dictated by server compute a back-off period, 659 // starting from a predetermined base periodic interval and increasing 660 // exponentially by the number of consecutive failed attempts. 661 if (interval == 0) { 662 const unsigned int* consecutive_failed_update_checks = ec->GetValue( 663 updater_provider->var_consecutive_failed_update_checks()); 664 POLICY_CHECK_VALUE_AND_FAIL(consecutive_failed_update_checks, error); 665 666 interval = kTimeoutPeriodicInterval; 667 unsigned int num_failures = *consecutive_failed_update_checks; 668 while (interval < kTimeoutMaxBackoffInterval && num_failures) { 669 interval *= 2; 670 num_failures--; 671 } 672 } 673 674 // We cannot back off longer than the predetermined maximum interval. 675 if (interval > kTimeoutMaxBackoffInterval) 676 interval = kTimeoutMaxBackoffInterval; 677 678 // We cannot back off shorter than the predetermined periodic interval. Also, 679 // in this case set the fuzz to a predetermined regular value. 680 if (interval <= kTimeoutPeriodicInterval) { 681 interval = kTimeoutPeriodicInterval; 682 fuzz = kTimeoutRegularFuzz; 683 } 684 685 // If not otherwise determined, defer to a fuzz of +/-(interval / 2). 686 if (fuzz == 0) 687 fuzz = interval; 688 689 *next_update_check = *last_checked_time + FuzzedInterval( 690 &prng, interval, fuzz); 691 return EvalStatus::kSucceeded; 692} 693 694TimeDelta ChromeOSPolicy::FuzzedInterval(PRNG* prng, int interval, int fuzz) { 695 DCHECK_GE(interval, 0); 696 DCHECK_GE(fuzz, 0); 697 int half_fuzz = fuzz / 2; 698 // This guarantees the output interval is non negative. 699 int interval_min = max(interval - half_fuzz, 0); 700 int interval_max = interval + half_fuzz; 701 return TimeDelta::FromSeconds(prng->RandMinMax(interval_min, interval_max)); 702} 703 704EvalStatus ChromeOSPolicy::UpdateBackoffAndDownloadUrl( 705 EvaluationContext* ec, State* state, string* error, 706 UpdateBackoffAndDownloadUrlResult* result, 707 const UpdateState& update_state) const { 708 // Sanity checks. 709 DCHECK_GE(update_state.download_errors_max, 0); 710 711 // Set default result values. 712 result->do_increment_failures = false; 713 result->backoff_expiry = update_state.backoff_expiry; 714 result->url_idx = -1; 715 result->url_num_errors = 0; 716 717 const bool* is_official_build_p = ec->GetValue( 718 state->system_provider()->var_is_official_build()); 719 bool is_official_build = (is_official_build_p ? *is_official_build_p : true); 720 721 // Check whether backoff is enabled. 722 bool may_backoff = false; 723 if (update_state.is_backoff_disabled) { 724 LOG(INFO) << "Backoff disabled by Omaha."; 725 } else if (update_state.is_interactive) { 726 LOG(INFO) << "No backoff for interactive updates."; 727 } else if (update_state.is_delta_payload) { 728 LOG(INFO) << "No backoff for delta payloads."; 729 } else if (!is_official_build) { 730 LOG(INFO) << "No backoff for unofficial builds."; 731 } else { 732 may_backoff = true; 733 } 734 735 // If previous backoff still in effect, block. 736 if (may_backoff && !update_state.backoff_expiry.is_null() && 737 !ec->IsWallclockTimeGreaterThan(update_state.backoff_expiry)) { 738 LOG(INFO) << "Previous backoff has not expired, waiting."; 739 return EvalStatus::kAskMeAgainLater; 740 } 741 742 // Determine whether HTTP downloads are forbidden by policy. This only 743 // applies to official system builds; otherwise, HTTP is always enabled. 744 bool http_allowed = true; 745 if (is_official_build) { 746 DevicePolicyProvider* const dp_provider = state->device_policy_provider(); 747 const bool* device_policy_is_loaded_p = ec->GetValue( 748 dp_provider->var_device_policy_is_loaded()); 749 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { 750 const bool* policy_http_downloads_enabled_p = ec->GetValue( 751 dp_provider->var_http_downloads_enabled()); 752 http_allowed = (!policy_http_downloads_enabled_p || 753 *policy_http_downloads_enabled_p); 754 } 755 } 756 757 int url_idx = update_state.last_download_url_idx; 758 if (url_idx < 0) 759 url_idx = -1; 760 bool do_advance_url = false; 761 bool is_failure_occurred = false; 762 Time err_time; 763 764 // Scan the relevant part of the download error log, tracking which URLs are 765 // being used, and accounting the number of errors for each URL. Note that 766 // this process may not traverse all errors provided, as it may decide to bail 767 // out midway depending on the particular errors exhibited, the number of 768 // failures allowed, etc. When this ends, |url_idx| will point to the last URL 769 // used (-1 if starting fresh), |do_advance_url| will determine whether the 770 // URL needs to be advanced, and |err_time| the point in time when the last 771 // reported error occurred. Additionally, if the error log indicates that an 772 // update attempt has failed (abnormal), then |is_failure_occurred| will be 773 // set to true. 774 const int num_urls = update_state.download_urls.size(); 775 int prev_url_idx = -1; 776 int url_num_errors = update_state.last_download_url_num_errors; 777 Time prev_err_time; 778 bool is_first = true; 779 for (const auto& err_tuple : update_state.download_errors) { 780 // Do some sanity checks. 781 int used_url_idx = get<0>(err_tuple); 782 if (is_first && url_idx >= 0 && used_url_idx != url_idx) { 783 LOG(WARNING) << "First URL in error log (" << used_url_idx 784 << ") not as expected (" << url_idx << ")"; 785 } 786 is_first = false; 787 url_idx = used_url_idx; 788 if (url_idx < 0 || url_idx >= num_urls) { 789 LOG(ERROR) << "Download error log contains an invalid URL index (" 790 << url_idx << ")"; 791 return EvalStatus::kFailed; 792 } 793 err_time = get<2>(err_tuple); 794 if (!(prev_err_time.is_null() || err_time >= prev_err_time)) { 795 // TODO(garnold) Monotonicity cannot really be assumed when dealing with 796 // wallclock-based timestamps. However, we're making a simplifying 797 // assumption so as to keep the policy implementation straightforward, for 798 // now. In general, we should convert all timestamp handling in the 799 // UpdateManager to use monotonic time (instead of wallclock), including 800 // the computation of various expiration times (backoff, scattering, etc). 801 // The client will do whatever conversions necessary when 802 // persisting/retrieving these values across reboots. See chromium:408794. 803 LOG(ERROR) << "Download error timestamps not monotonically increasing."; 804 return EvalStatus::kFailed; 805 } 806 prev_err_time = err_time; 807 808 // Ignore errors that happened before the last known failed attempt. 809 if (!update_state.failures_last_updated.is_null() && 810 err_time <= update_state.failures_last_updated) 811 continue; 812 813 if (prev_url_idx >= 0) { 814 if (url_idx < prev_url_idx) { 815 LOG(ERROR) << "The URLs in the download error log have wrapped around (" 816 << prev_url_idx << "->" << url_idx 817 << "). This should not have happened and means that there's " 818 "a bug. To be conservative, we record a failed attempt " 819 "(invalidating the rest of the error log) and resume " 820 "download from the first usable URL."; 821 url_idx = -1; 822 is_failure_occurred = true; 823 break; 824 } 825 826 if (url_idx > prev_url_idx) { 827 url_num_errors = 0; 828 do_advance_url = false; 829 } 830 } 831 832 if (HandleErrorCode(get<1>(err_tuple), &url_num_errors) || 833 url_num_errors > update_state.download_errors_max) 834 do_advance_url = true; 835 836 prev_url_idx = url_idx; 837 } 838 839 // If required, advance to the next usable URL. If the URLs wraparound, we 840 // mark an update attempt failure. Also be sure to set the download error 841 // count to zero. 842 if (url_idx < 0 || do_advance_url) { 843 url_num_errors = 0; 844 int start_url_idx = -1; 845 do { 846 if (++url_idx == num_urls) { 847 url_idx = 0; 848 // We only mark failure if an actual advancing of a URL was required. 849 if (do_advance_url) 850 is_failure_occurred = true; 851 } 852 853 if (start_url_idx < 0) 854 start_url_idx = url_idx; 855 else if (url_idx == start_url_idx) 856 url_idx = -1; // No usable URL. 857 } while (url_idx >= 0 && 858 !IsUrlUsable(update_state.download_urls[url_idx], http_allowed)); 859 } 860 861 // If we have a download URL but a failure was observed, compute a new backoff 862 // expiry (if allowed). The backoff period is generally 2 ^ (num_failures - 1) 863 // days, bounded by the size of int and kAttemptBackoffMaxIntervalInDays, and 864 // fuzzed by kAttemptBackoffFuzzInHours hours. Backoff expiry is computed from 865 // the latest recorded time of error. 866 Time backoff_expiry; 867 if (url_idx >= 0 && is_failure_occurred && may_backoff) { 868 CHECK(!err_time.is_null()) 869 << "We must have an error timestamp if a failure occurred!"; 870 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed()); 871 POLICY_CHECK_VALUE_AND_FAIL(seed, error); 872 PRNG prng(*seed); 873 int exp = min(update_state.num_failures, 874 static_cast<int>(sizeof(int)) * 8 - 2); 875 TimeDelta backoff_interval = TimeDelta::FromDays( 876 min(1 << exp, kAttemptBackoffMaxIntervalInDays)); 877 TimeDelta backoff_fuzz = TimeDelta::FromHours(kAttemptBackoffFuzzInHours); 878 TimeDelta wait_period = FuzzedInterval(&prng, backoff_interval.InSeconds(), 879 backoff_fuzz.InSeconds()); 880 backoff_expiry = err_time + wait_period; 881 882 // If the newly computed backoff already expired, nullify it. 883 if (ec->IsWallclockTimeGreaterThan(backoff_expiry)) 884 backoff_expiry = Time(); 885 } 886 887 result->do_increment_failures = is_failure_occurred; 888 result->backoff_expiry = backoff_expiry; 889 result->url_idx = url_idx; 890 result->url_num_errors = url_num_errors; 891 return EvalStatus::kSucceeded; 892} 893 894EvalStatus ChromeOSPolicy::UpdateScattering( 895 EvaluationContext* ec, 896 State* state, 897 string* error, 898 UpdateScatteringResult* result, 899 const UpdateState& update_state) const { 900 // Preconditions. These stem from the postconditions and usage contract. 901 DCHECK(update_state.scatter_wait_period >= kZeroInterval); 902 DCHECK_GE(update_state.scatter_check_threshold, 0); 903 904 // Set default result values. 905 result->is_scattering = false; 906 result->wait_period = kZeroInterval; 907 result->check_threshold = 0; 908 909 DevicePolicyProvider* const dp_provider = state->device_policy_provider(); 910 911 // Ensure that a device policy is loaded. 912 const bool* device_policy_is_loaded_p = ec->GetValue( 913 dp_provider->var_device_policy_is_loaded()); 914 if (!(device_policy_is_loaded_p && *device_policy_is_loaded_p)) 915 return EvalStatus::kSucceeded; 916 917 // Is scattering enabled by policy? 918 const TimeDelta* scatter_factor_p = ec->GetValue( 919 dp_provider->var_scatter_factor()); 920 if (!scatter_factor_p || *scatter_factor_p == kZeroInterval) 921 return EvalStatus::kSucceeded; 922 923 // Obtain a pseudo-random number generator. 924 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed()); 925 POLICY_CHECK_VALUE_AND_FAIL(seed, error); 926 PRNG prng(*seed); 927 928 // Step 1: Maintain the scattering wait period. 929 // 930 // If no wait period was previously determined, or it no longer fits in the 931 // scatter factor, then generate a new one. Otherwise, keep the one we have. 932 TimeDelta wait_period = update_state.scatter_wait_period; 933 if (wait_period == kZeroInterval || wait_period > *scatter_factor_p) { 934 wait_period = TimeDelta::FromSeconds( 935 prng.RandMinMax(1, scatter_factor_p->InSeconds())); 936 } 937 938 // If we surpassed the wait period or the max scatter period associated with 939 // the update, then no wait is needed. 940 Time wait_expires = (update_state.first_seen + 941 min(wait_period, update_state.scatter_wait_period_max)); 942 if (ec->IsWallclockTimeGreaterThan(wait_expires)) 943 wait_period = kZeroInterval; 944 945 // Step 2: Maintain the update check threshold count. 946 // 947 // If an update check threshold is not specified then generate a new 948 // one. 949 int check_threshold = update_state.scatter_check_threshold; 950 if (check_threshold == 0) { 951 check_threshold = prng.RandMinMax( 952 update_state.scatter_check_threshold_min, 953 update_state.scatter_check_threshold_max); 954 } 955 956 // If the update check threshold is not within allowed range then nullify it. 957 // TODO(garnold) This is compliant with current logic found in 958 // OmahaRequestAction::IsUpdateCheckCountBasedWaitingSatisfied(). We may want 959 // to change it so that it behaves similarly to the wait period case, namely 960 // if the current value exceeds the maximum, we set a new one within range. 961 if (check_threshold > update_state.scatter_check_threshold_max) 962 check_threshold = 0; 963 964 // If the update check threshold is non-zero and satisfied, then nullify it. 965 if (check_threshold > 0 && update_state.num_checks >= check_threshold) 966 check_threshold = 0; 967 968 bool is_scattering = (wait_period != kZeroInterval || check_threshold); 969 EvalStatus ret = EvalStatus::kSucceeded; 970 if (is_scattering && wait_period == update_state.scatter_wait_period && 971 check_threshold == update_state.scatter_check_threshold) 972 ret = EvalStatus::kAskMeAgainLater; 973 result->is_scattering = is_scattering; 974 result->wait_period = wait_period; 975 result->check_threshold = check_threshold; 976 return ret; 977} 978 979} // namespace chromeos_update_manager 980