BackupManagerService.java revision af31dffcb3fe884c4ee376f0e9503262abb80859 
1/*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 *      http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17package com.android.server.backup;
18
19import static android.app.backup.BackupManagerMonitor.EXTRA_LOG_EVENT_PACKAGE_NAME;
20import static android.app.backup.BackupManagerMonitor.EXTRA_LOG_EVENT_PACKAGE_VERSION;
21import static android.app.backup.BackupManagerMonitor.EXTRA_LOG_OLD_VERSION;
22import static android.app.backup.BackupManagerMonitor.EXTRA_LOG_POLICY_ALLOW_APKS;
23import static android.app.backup.BackupManagerMonitor.EXTRA_LOG_MANIFEST_PACKAGE_NAME;
24import static android.app.backup.BackupManagerMonitor.LOG_EVENT_CATEGORY_AGENT;
25import static android.app.backup.BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY;
26import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_VERSION_OF_BACKUP_OLDER;
27import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_FULL_RESTORE_SIGNATURE_MISMATCH;
28import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_SYSTEM_APP_NO_AGENT;
29import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_FULL_RESTORE_ALLOW_BACKUP_FALSE;
30import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_APK_NOT_INSTALLED;
31import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_CANNOT_RESTORE_WITHOUT_APK;
32import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_MISSING_SIGNATURE;
33import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_EXPECTED_DIFFERENT_PACKAGE;
34import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_RESTORE_ANY_VERSION;
35import static android.app.backup.BackupManagerMonitor.LOG_EVENT_ID_VERSIONS_MATCH;
36import static android.content.pm.ApplicationInfo.PRIVATE_FLAG_BACKUP_IN_FOREGROUND;
37
38import android.app.ActivityManager;
39import android.app.AlarmManager;
40import android.app.AppGlobals;
41import android.app.ApplicationThreadConstants;
42import android.app.IActivityManager;
43import android.app.IBackupAgent;
44import android.app.PackageInstallObserver;
45import android.app.PendingIntent;
46import android.app.backup.BackupAgent;
47import android.app.backup.BackupDataInput;
48import android.app.backup.BackupDataOutput;
49import android.app.backup.BackupManager;
50import android.app.backup.BackupManagerMonitor;
51import android.app.backup.BackupProgress;
52import android.app.backup.BackupTransport;
53import android.app.backup.FullBackup;
54import android.app.backup.FullBackupDataOutput;
55import android.app.backup.IBackupManager;
56import android.app.backup.IBackupManagerMonitor;
57import android.app.backup.IBackupObserver;
58import android.app.backup.IFullBackupRestoreObserver;
59import android.app.backup.IRestoreObserver;
60import android.app.backup.IRestoreSession;
61import android.app.backup.ISelectBackupTransportCallback;
62import android.app.backup.RestoreDescription;
63import android.app.backup.RestoreSet;
64import android.app.backup.SelectBackupTransportCallback;
65import android.content.ActivityNotFoundException;
66import android.content.BroadcastReceiver;
67import android.content.ComponentName;
68import android.content.ContentResolver;
69import android.content.Context;
70import android.content.Intent;
71import android.content.IntentFilter;
72import android.content.ServiceConnection;
73import android.content.pm.ApplicationInfo;
74import android.content.pm.IPackageDataObserver;
75import android.content.pm.IPackageDeleteObserver;
76import android.content.pm.IPackageManager;
77import android.content.pm.PackageInfo;
78import android.content.pm.PackageManager;
79import android.content.pm.PackageManager.NameNotFoundException;
80import android.content.pm.Signature;
81import android.database.ContentObserver;
82import android.net.Uri;
83import android.os.PowerSaveState;
84import android.os.Binder;
85import android.os.Build;
86import android.os.Bundle;
87import android.os.Environment;
88import android.os.Environment.UserEnvironment;
89import android.os.Handler;
90import android.os.HandlerThread;
91import android.os.IBinder;
92import android.os.Looper;
93import android.os.Message;
94import android.os.ParcelFileDescriptor;
95import android.os.PowerManager;
96import android.os.Process;
97import android.os.RemoteException;
98import android.os.SELinux;
99import android.os.ServiceManager;
100import android.os.SystemClock;
101import android.os.UserHandle;
102import android.os.WorkSource;
103import android.os.storage.IStorageManager;
104import android.os.storage.StorageManager;
105import android.provider.Settings;
106import android.system.ErrnoException;
107import android.system.Os;
108import android.text.TextUtils;
109import android.util.AtomicFile;
110import android.util.EventLog;
111import android.util.Log;
112import android.util.Pair;
113import android.util.Slog;
114import android.util.SparseArray;
115import android.util.StringBuilderPrinter;
116
117import com.android.internal.annotations.GuardedBy;
118import com.android.internal.backup.IBackupTransport;
119import com.android.internal.backup.IObbBackupService;
120import com.android.internal.util.DumpUtils;
121import com.android.server.AppWidgetBackupBridge;
122import com.android.server.EventLogTags;
123import com.android.server.SystemConfig;
124import com.android.server.SystemService;
125import com.android.server.backup.PackageManagerBackupAgent.Metadata;
126
127import com.android.server.power.BatterySaverPolicy.ServiceType;
128import libcore.io.IoUtils;
129
130import java.io.BufferedInputStream;
131import java.io.BufferedOutputStream;
132import java.io.ByteArrayInputStream;
133import java.io.ByteArrayOutputStream;
134import java.io.DataInputStream;
135import java.io.DataOutputStream;
136import java.io.EOFException;
137import java.io.File;
138import java.io.FileDescriptor;
139import java.io.FileInputStream;
140import java.io.FileNotFoundException;
141import java.io.FileOutputStream;
142import java.io.IOException;
143import java.io.InputStream;
144import java.io.OutputStream;
145import java.io.PrintWriter;
146import java.io.RandomAccessFile;
147import java.security.InvalidAlgorithmParameterException;
148import java.security.InvalidKeyException;
149import java.security.Key;
150import java.security.MessageDigest;
151import java.security.NoSuchAlgorithmException;
152import java.security.SecureRandom;
153import java.security.spec.InvalidKeySpecException;
154import java.security.spec.KeySpec;
155import java.text.SimpleDateFormat;
156import java.util.ArrayDeque;
157import java.util.ArrayList;
158import java.util.Arrays;
159import java.util.Collections;
160import java.util.Date;
161import java.util.HashMap;
162import java.util.HashSet;
163import java.util.Iterator;
164import java.util.List;
165import java.util.Map.Entry;
166import java.util.Objects;
167import java.util.Queue;
168import java.util.Random;
169import java.util.Set;
170import java.util.TreeMap;
171import java.util.concurrent.CountDownLatch;
172import java.util.concurrent.TimeUnit;
173import java.util.concurrent.atomic.AtomicBoolean;
174import java.util.concurrent.atomic.AtomicInteger;
175import java.util.concurrent.atomic.AtomicLong;
176import java.util.zip.Deflater;
177import java.util.zip.DeflaterOutputStream;
178import java.util.zip.InflaterInputStream;
179
180import javax.crypto.BadPaddingException;
181import javax.crypto.Cipher;
182import javax.crypto.CipherInputStream;
183import javax.crypto.CipherOutputStream;
184import javax.crypto.IllegalBlockSizeException;
185import javax.crypto.NoSuchPaddingException;
186import javax.crypto.SecretKey;
187import javax.crypto.SecretKeyFactory;
188import javax.crypto.spec.IvParameterSpec;
189import javax.crypto.spec.PBEKeySpec;
190import javax.crypto.spec.SecretKeySpec;
191
192public class BackupManagerService implements BackupManagerServiceInterface {
193
194    private static final String TAG = "BackupManagerService";
195    static final boolean DEBUG = true;
196    static final boolean MORE_DEBUG = false;
197    static final boolean DEBUG_SCHEDULING = MORE_DEBUG || true;
198
199    // File containing backup-enabled state.  Contains a single byte;
200    // nonzero == enabled.  File missing or contains a zero byte == disabled.
201    static final String BACKUP_ENABLE_FILE = "backup_enabled";
202
203    // System-private key used for backing up an app's widget state.  Must
204    // begin with U+FFxx by convention (we reserve all keys starting
205    // with U+FF00 or higher for system use).
206    static final String KEY_WIDGET_STATE = "\uffed\uffedwidget";
207
208    // Historical and current algorithm names
209    static final String PBKDF_CURRENT = "PBKDF2WithHmacSHA1";
210    static final String PBKDF_FALLBACK = "PBKDF2WithHmacSHA1And8bit";
211
212    // Name and current contents version of the full-backup manifest file
213    //
214    // Manifest version history:
215    //
216    // 1 : initial release
217    static final String BACKUP_MANIFEST_FILENAME = "_manifest";
218    static final int BACKUP_MANIFEST_VERSION = 1;
219
220    // External archive format version history:
221    //
222    // 1 : initial release
223    // 2 : no format change per se; version bump to facilitate PBKDF2 version skew detection
224    // 3 : introduced "_meta" metadata file; no other format change per se
225    // 4 : added support for new device-encrypted storage locations
226    // 5 : added support for key-value packages
227    static final int BACKUP_FILE_VERSION = 5;
228    static final String BACKUP_FILE_HEADER_MAGIC = "ANDROID BACKUP\n";
229    static final int BACKUP_PW_FILE_VERSION = 2;
230    static final String BACKUP_METADATA_FILENAME = "_meta";
231    static final int BACKUP_METADATA_VERSION = 1;
232    static final int BACKUP_WIDGET_METADATA_TOKEN = 0x01FFED01;
233
234    static final int TAR_HEADER_LONG_RADIX = 8;
235    static final int TAR_HEADER_OFFSET_FILESIZE = 124;
236    static final int TAR_HEADER_LENGTH_FILESIZE = 12;
237    static final int TAR_HEADER_OFFSET_MODTIME = 136;
238    static final int TAR_HEADER_LENGTH_MODTIME = 12;
239    static final int TAR_HEADER_OFFSET_MODE = 100;
240    static final int TAR_HEADER_LENGTH_MODE = 8;
241    static final int TAR_HEADER_OFFSET_PATH_PREFIX = 345;
242    static final int TAR_HEADER_LENGTH_PATH_PREFIX = 155;
243    static final int TAR_HEADER_OFFSET_PATH = 0;
244    static final int TAR_HEADER_LENGTH_PATH = 100;
245    static final int TAR_HEADER_OFFSET_TYPE_CHAR = 156;
246
247    static final boolean COMPRESS_FULL_BACKUPS = true; // should be true in production
248
249    static final String SETTINGS_PACKAGE = "com.android.providers.settings";
250    static final String SHARED_BACKUP_AGENT_PACKAGE = "com.android.sharedstoragebackup";
251    static final String SERVICE_ACTION_TRANSPORT_HOST = "android.backup.TRANSPORT_HOST";
252
253    // Retry interval for clear/init when the transport is unavailable
254    private static final long TRANSPORT_RETRY_INTERVAL = 1 * AlarmManager.INTERVAL_HOUR;
255
256    private static final String RUN_BACKUP_ACTION = "android.app.backup.intent.RUN";
257    private static final String RUN_INITIALIZE_ACTION = "android.app.backup.intent.INIT";
258    private static final int MSG_RUN_BACKUP = 1;
259    private static final int MSG_RUN_ADB_BACKUP = 2;
260    private static final int MSG_RUN_RESTORE = 3;
261    private static final int MSG_RUN_CLEAR = 4;
262    private static final int MSG_RUN_INITIALIZE = 5;
263    private static final int MSG_RUN_GET_RESTORE_SETS = 6;
264    private static final int MSG_RESTORE_SESSION_TIMEOUT = 8;
265    private static final int MSG_FULL_CONFIRMATION_TIMEOUT = 9;
266    private static final int MSG_RUN_ADB_RESTORE = 10;
267    private static final int MSG_RETRY_INIT = 11;
268    private static final int MSG_RETRY_CLEAR = 12;
269    private static final int MSG_WIDGET_BROADCAST = 13;
270    private static final int MSG_RUN_FULL_TRANSPORT_BACKUP = 14;
271    private static final int MSG_REQUEST_BACKUP = 15;
272    private static final int MSG_SCHEDULE_BACKUP_PACKAGE = 16;
273    private static final int MSG_BACKUP_OPERATION_TIMEOUT = 17;
274    private static final int MSG_RESTORE_OPERATION_TIMEOUT = 18;
275
276    // backup task state machine tick
277    static final int MSG_BACKUP_RESTORE_STEP = 20;
278    static final int MSG_OP_COMPLETE = 21;
279
280    // Timeout interval for deciding that a bind or clear-data has taken too long
281    static final long TIMEOUT_INTERVAL = 10 * 1000;
282
283    // Timeout intervals for agent backup & restore operations
284    static final long TIMEOUT_BACKUP_INTERVAL = 30 * 1000;
285    static final long TIMEOUT_FULL_BACKUP_INTERVAL = 5 * 60 * 1000;
286    static final long TIMEOUT_SHARED_BACKUP_INTERVAL = 30 * 60 * 1000;
287    static final long TIMEOUT_RESTORE_INTERVAL = 60 * 1000;
288    static final long TIMEOUT_RESTORE_FINISHED_INTERVAL = 30 * 1000;
289
290    // User confirmation timeout for a full backup/restore operation.  It's this long in
291    // order to give them time to enter the backup password.
292    static final long TIMEOUT_FULL_CONFIRMATION = 60 * 1000;
293
294    // How long between attempts to perform a full-data backup of any given app
295    static final long MIN_FULL_BACKUP_INTERVAL = 1000 * 60 * 60 * 24; // one day
296
297    // If an app is busy when we want to do a full-data backup, how long to defer the retry.
298    // This is fuzzed, so there are two parameters; backoff_min + Rand[0, backoff_fuzz)
299    static final long BUSY_BACKOFF_MIN_MILLIS = 1000 * 60 * 60;  // one hour
300    static final int BUSY_BACKOFF_FUZZ = 1000 * 60 * 60 * 2;  // two hours
301
302    Context mContext;
303    private PackageManager mPackageManager;
304    IPackageManager mPackageManagerBinder;
305    private IActivityManager mActivityManager;
306    private PowerManager mPowerManager;
307    private AlarmManager mAlarmManager;
308    private IStorageManager mStorageManager;
309
310    IBackupManager mBackupManagerBinder;
311
312    private final TransportManager mTransportManager;
313
314    boolean mEnabled;   // access to this is synchronized on 'this'
315    boolean mProvisioned;
316    boolean mAutoRestore;
317    PowerManager.WakeLock mWakelock;
318    HandlerThread mHandlerThread;
319    BackupHandler mBackupHandler;
320    PendingIntent mRunBackupIntent, mRunInitIntent;
321    BroadcastReceiver mRunBackupReceiver, mRunInitReceiver;
322    // map UIDs to the set of participating packages under that UID
323    final SparseArray<HashSet<String>> mBackupParticipants
324            = new SparseArray<HashSet<String>>();
325    // set of backup services that have pending changes
326    class BackupRequest {
327        public String packageName;
328
329        BackupRequest(String pkgName) {
330            packageName = pkgName;
331        }
332
333        public String toString() {
334            return "BackupRequest{pkg=" + packageName + "}";
335        }
336    }
337    // Backups that we haven't started yet.  Keys are package names.
338    HashMap<String,BackupRequest> mPendingBackups
339            = new HashMap<String,BackupRequest>();
340
341    // Pseudoname that we use for the Package Manager metadata "package"
342    static final String PACKAGE_MANAGER_SENTINEL = "@pm@";
343
344    // locking around the pending-backup management
345    final Object mQueueLock = new Object();
346
347    // The thread performing the sequence of queued backups binds to each app's agent
348    // in succession.  Bind notifications are asynchronously delivered through the
349    // Activity Manager; use this lock object to signal when a requested binding has
350    // completed.
351    final Object mAgentConnectLock = new Object();
352    IBackupAgent mConnectedAgent;
353    volatile boolean mBackupRunning;
354    volatile boolean mConnecting;
355    volatile long mLastBackupPass;
356
357    // For debugging, we maintain a progress trace of operations during backup
358    static final boolean DEBUG_BACKUP_TRACE = true;
359    final List<String> mBackupTrace = new ArrayList<String>();
360
361    // A similar synchronization mechanism around clearing apps' data for restore
362    final Object mClearDataLock = new Object();
363    volatile boolean mClearingData;
364
365    @GuardedBy("mPendingRestores")
366    private boolean mIsRestoreInProgress;
367    @GuardedBy("mPendingRestores")
368    private final Queue<PerformUnifiedRestoreTask> mPendingRestores = new ArrayDeque<>();
369
370    ActiveRestoreSession mActiveRestoreSession;
371
372    // Watch the device provisioning operation during setup
373    ContentObserver mProvisionedObserver;
374
375    // The published binder is actually to a singleton trampoline object that calls
376    // through to the proper code.  This indirection lets us turn down the heavy
377    // implementation object on the fly without disturbing binders that have been
378    // cached elsewhere in the system.
379    static Trampoline sInstance;
380    static Trampoline getInstance() {
381        // Always constructed during system bringup, so no need to lazy-init
382        return sInstance;
383    }
384
385    public static final class Lifecycle extends SystemService {
386
387        public Lifecycle(Context context) {
388            super(context);
389            sInstance = new Trampoline(context);
390        }
391
392        @Override
393        public void onStart() {
394            publishBinderService(Context.BACKUP_SERVICE, sInstance);
395        }
396
397        @Override
398        public void onUnlockUser(int userId) {
399            if (userId == UserHandle.USER_SYSTEM) {
400                sInstance.initialize(userId);
401
402                // Migrate legacy setting
403                if (!backupSettingMigrated(userId)) {
404                    if (DEBUG) {
405                        Slog.i(TAG, "Backup enable apparently not migrated");
406                    }
407                    final ContentResolver r = sInstance.mContext.getContentResolver();
408                    final int enableState = Settings.Secure.getIntForUser(r,
409                            Settings.Secure.BACKUP_ENABLED, -1, userId);
410                    if (enableState >= 0) {
411                        if (DEBUG) {
412                            Slog.i(TAG, "Migrating enable state " + (enableState != 0));
413                        }
414                        writeBackupEnableState(enableState != 0, userId);
415                        Settings.Secure.putStringForUser(r,
416                                Settings.Secure.BACKUP_ENABLED, null, userId);
417                    } else {
418                        if (DEBUG) {
419                            Slog.i(TAG, "Backup not yet configured; retaining null enable state");
420                        }
421                    }
422                }
423
424                try {
425                    sInstance.setBackupEnabled(readBackupEnableState(userId));
426                } catch (RemoteException e) {
427                    // can't happen; it's a local object
428                }
429            }
430        }
431    }
432
433    class ProvisionedObserver extends ContentObserver {
434        public ProvisionedObserver(Handler handler) {
435            super(handler);
436        }
437
438        public void onChange(boolean selfChange) {
439            final boolean wasProvisioned = mProvisioned;
440            final boolean isProvisioned = deviceIsProvisioned();
441            // latch: never unprovision
442            mProvisioned = wasProvisioned || isProvisioned;
443            if (MORE_DEBUG) {
444                Slog.d(TAG, "Provisioning change: was=" + wasProvisioned
445                        + " is=" + isProvisioned + " now=" + mProvisioned);
446            }
447
448            synchronized (mQueueLock) {
449                if (mProvisioned && !wasProvisioned && mEnabled) {
450                    // we're now good to go, so start the backup alarms
451                    if (MORE_DEBUG) Slog.d(TAG, "Now provisioned, so starting backups");
452                    KeyValueBackupJob.schedule(mContext);
453                    scheduleNextFullBackupJob(0);
454                }
455            }
456        }
457    }
458
459    class RestoreGetSetsParams {
460        public IBackupTransport transport;
461        public ActiveRestoreSession session;
462        public IRestoreObserver observer;
463        public IBackupManagerMonitor monitor;
464
465        RestoreGetSetsParams(IBackupTransport _transport, ActiveRestoreSession _session,
466                IRestoreObserver _observer, IBackupManagerMonitor _monitor) {
467            transport = _transport;
468            session = _session;
469            observer = _observer;
470            monitor = _monitor;
471        }
472    }
473
474    class RestoreParams {
475        public IBackupTransport transport;
476        public String dirName;
477        public IRestoreObserver observer;
478        public IBackupManagerMonitor monitor;
479        public long token;
480        public PackageInfo pkgInfo;
481        public int pmToken; // in post-install restore, the PM's token for this transaction
482        public boolean isSystemRestore;
483        public String[] filterSet;
484
485        /**
486         * Restore a single package; no kill after restore
487         */
488        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
489                IBackupManagerMonitor _monitor, long _token, PackageInfo _pkg) {
490            transport = _transport;
491            dirName = _dirName;
492            observer = _obs;
493            monitor = _monitor;
494            token = _token;
495            pkgInfo = _pkg;
496            pmToken = 0;
497            isSystemRestore = false;
498            filterSet = null;
499        }
500
501        /**
502         * Restore at install: PM token needed, kill after restore
503         */
504        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
505                IBackupManagerMonitor _monitor, long _token, String _pkgName, int _pmToken) {
506            transport = _transport;
507            dirName = _dirName;
508            observer = _obs;
509            monitor = _monitor;
510            token = _token;
511            pkgInfo = null;
512            pmToken = _pmToken;
513            isSystemRestore = false;
514            filterSet = new String[] { _pkgName };
515        }
516
517        /**
518         * Restore everything possible.  This is the form that Setup Wizard or similar
519         * restore UXes use.
520         */
521        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
522                IBackupManagerMonitor _monitor, long _token) {
523            transport = _transport;
524            dirName = _dirName;
525            observer = _obs;
526            monitor = _monitor;
527            token = _token;
528            pkgInfo = null;
529            pmToken = 0;
530            isSystemRestore = true;
531            filterSet = null;
532        }
533
534        /**
535         * Restore some set of packages.  Leave this one up to the caller to specify
536         * whether it's to be considered a system-level restore.
537         */
538        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
539                IBackupManagerMonitor _monitor, long _token,
540                String[] _filterSet, boolean _isSystemRestore) {
541            transport = _transport;
542            dirName = _dirName;
543            observer = _obs;
544            monitor = _monitor;
545            token = _token;
546            pkgInfo = null;
547            pmToken = 0;
548            isSystemRestore = _isSystemRestore;
549            filterSet = _filterSet;
550        }
551    }
552
553    class ClearParams {
554        public IBackupTransport transport;
555        public PackageInfo packageInfo;
556
557        ClearParams(IBackupTransport _transport, PackageInfo _info) {
558            transport = _transport;
559            packageInfo = _info;
560        }
561    }
562
563    class ClearRetryParams {
564        public String transportName;
565        public String packageName;
566
567        ClearRetryParams(String transport, String pkg) {
568            transportName = transport;
569            packageName = pkg;
570        }
571    }
572
573    // Parameters used by adbBackup() and adbRestore()
574    class AdbParams {
575        public ParcelFileDescriptor fd;
576        public final AtomicBoolean latch;
577        public IFullBackupRestoreObserver observer;
578        public String curPassword;     // filled in by the confirmation step
579        public String encryptPassword;
580
581        AdbParams() {
582            latch = new AtomicBoolean(false);
583        }
584    }
585
586    class AdbBackupParams extends AdbParams {
587        public boolean includeApks;
588        public boolean includeObbs;
589        public boolean includeShared;
590        public boolean doWidgets;
591        public boolean allApps;
592        public boolean includeSystem;
593        public boolean doCompress;
594        public boolean includeKeyValue;
595        public String[] packages;
596
597        AdbBackupParams(ParcelFileDescriptor output, boolean saveApks, boolean saveObbs,
598                boolean saveShared, boolean alsoWidgets, boolean doAllApps, boolean doSystem,
599                boolean compress, boolean doKeyValue, String[] pkgList) {
600            fd = output;
601            includeApks = saveApks;
602            includeObbs = saveObbs;
603            includeShared = saveShared;
604            doWidgets = alsoWidgets;
605            allApps = doAllApps;
606            includeSystem = doSystem;
607            doCompress = compress;
608            includeKeyValue = doKeyValue;
609            packages = pkgList;
610        }
611    }
612
613    class AdbRestoreParams extends AdbParams {
614        AdbRestoreParams(ParcelFileDescriptor input) {
615            fd = input;
616        }
617    }
618
619    class BackupParams {
620        public IBackupTransport transport;
621        public String dirName;
622        public ArrayList<String> kvPackages;
623        public ArrayList<String> fullPackages;
624        public IBackupObserver observer;
625        public IBackupManagerMonitor monitor;
626        public boolean userInitiated;
627        public boolean nonIncrementalBackup;
628
629        BackupParams(IBackupTransport transport, String dirName, ArrayList<String> kvPackages,
630                ArrayList<String> fullPackages, IBackupObserver observer,
631                IBackupManagerMonitor monitor,boolean userInitiated, boolean nonIncrementalBackup) {
632            this.transport = transport;
633            this.dirName = dirName;
634            this.kvPackages = kvPackages;
635            this.fullPackages = fullPackages;
636            this.observer = observer;
637            this.monitor = monitor;
638            this.userInitiated = userInitiated;
639            this.nonIncrementalBackup = nonIncrementalBackup;
640        }
641    }
642
643    // Bookkeeping of in-flight operations for timeout etc. purposes.  The operation
644    // token is the index of the entry in the pending-operations list.
645    static final int OP_PENDING = 0;
646    static final int OP_ACKNOWLEDGED = 1;
647    static final int OP_TIMEOUT = -1;
648
649    // Waiting for backup agent to respond during backup operation.
650    static final int OP_TYPE_BACKUP_WAIT = 0;
651
652    // Waiting for backup agent to respond during restore operation.
653    static final int OP_TYPE_RESTORE_WAIT = 1;
654
655    // An entire backup operation spanning multiple packages.
656    private static final int OP_TYPE_BACKUP = 2;
657
658    class Operation {
659        int state;
660        final BackupRestoreTask callback;
661        final int type;
662
663        Operation(int initialState, BackupRestoreTask callbackObj, int type) {
664            state = initialState;
665            callback = callbackObj;
666            this.type = type;
667        }
668    }
669
670    /**
671     * mCurrentOperations contains the list of currently active operations.
672     *
673     * If type of operation is OP_TYPE_WAIT, it are waiting for an ack or timeout.
674     * An operation wraps a BackupRestoreTask within it.
675     * It's the responsibility of this task to remove the operation from this array.
676     *
677     * A BackupRestore task gets notified of ack/timeout for the operation via
678     * BackupRestoreTask#handleCancel, BackupRestoreTask#operationComplete and notifyAll called
679     * on the mCurrentOpLock. {@link BackupManagerService#waitUntilOperationComplete(int)} is
680     * used in various places to 'wait' for notifyAll and detect change of pending state of an
681     * operation. So typically, an operation will be removed from this array by:
682     *   - BackupRestoreTask#handleCancel and
683     *   - BackupRestoreTask#operationComplete OR waitUntilOperationComplete. Do not remove at both
684     *     these places because waitUntilOperationComplete relies on the operation being present to
685     *     determine its completion status.
686     *
687     * If type of operation is OP_BACKUP, it is a task running backups. It provides a handle to
688     * cancel backup tasks.
689     */
690    @GuardedBy("mCurrentOpLock")
691    final SparseArray<Operation> mCurrentOperations = new SparseArray<Operation>();
692    final Object mCurrentOpLock = new Object();
693    final Random mTokenGenerator = new Random();
694
695    final SparseArray<AdbParams> mAdbBackupRestoreConfirmations = new SparseArray<AdbParams>();
696
697    // Where we keep our journal files and other bookkeeping
698    File mBaseStateDir;
699    File mDataDir;
700    File mJournalDir;
701    File mJournal;
702
703    // Backup password, if any, and the file where it's saved.  What is stored is not the
704    // password text itself; it's the result of a PBKDF2 hash with a randomly chosen (but
705    // persisted) salt.  Validation is performed by running the challenge text through the
706    // same PBKDF2 cycle with the persisted salt; if the resulting derived key string matches
707    // the saved hash string, then the challenge text matches the originally supplied
708    // password text.
709    private final SecureRandom mRng = new SecureRandom();
710    private String mPasswordHash;
711    private File mPasswordHashFile;
712    private int mPasswordVersion;
713    private File mPasswordVersionFile;
714    private byte[] mPasswordSalt;
715
716    // Configuration of PBKDF2 that we use for generating pw hashes and intermediate keys
717    static final int PBKDF2_HASH_ROUNDS = 10000;
718    static final int PBKDF2_KEY_SIZE = 256;     // bits
719    static final int PBKDF2_SALT_SIZE = 512;    // bits
720    static final String ENCRYPTION_ALGORITHM_NAME = "AES-256";
721
722    // Keep a log of all the apps we've ever backed up, and what the
723    // dataset tokens are for both the current backup dataset and
724    // the ancestral dataset.
725    private File mEverStored;
726    HashSet<String> mEverStoredApps = new HashSet<String>();
727
728    static final int CURRENT_ANCESTRAL_RECORD_VERSION = 1;  // increment when the schema changes
729    File mTokenFile;
730    Set<String> mAncestralPackages = null;
731    long mAncestralToken = 0;
732    long mCurrentToken = 0;
733
734    // Persistently track the need to do a full init
735    static final String INIT_SENTINEL_FILE_NAME = "_need_init_";
736    HashSet<String> mPendingInits = new HashSet<String>();  // transport names
737
738    // Round-robin queue for scheduling full backup passes
739    static final int SCHEDULE_FILE_VERSION = 1; // current version of the schedule file
740    class FullBackupEntry implements Comparable<FullBackupEntry> {
741        String packageName;
742        long lastBackup;
743
744        FullBackupEntry(String pkg, long when) {
745            packageName = pkg;
746            lastBackup = when;
747        }
748
749        @Override
750        public int compareTo(FullBackupEntry other) {
751            if (lastBackup < other.lastBackup) return -1;
752            else if (lastBackup > other.lastBackup) return 1;
753            else return 0;
754        }
755    }
756
757    File mFullBackupScheduleFile;
758    // If we're running a schedule-driven full backup, this is the task instance doing it
759
760    @GuardedBy("mQueueLock")
761    PerformFullTransportBackupTask mRunningFullBackupTask;
762
763    @GuardedBy("mQueueLock")
764    ArrayList<FullBackupEntry> mFullBackupQueue;
765
766    // Utility: build a new random integer token
767    @Override
768    public int generateRandomIntegerToken() {
769        int token;
770        do {
771            synchronized (mTokenGenerator) {
772                token = mTokenGenerator.nextInt();
773            }
774        } while (token < 0);
775        return token;
776    }
777
778    // High level policy: apps are generally ineligible for backup if certain conditions apply
779    public static boolean appIsEligibleForBackup(ApplicationInfo app, PackageManager pm) {
780        // 1. their manifest states android:allowBackup="false"
781        if ((app.flags&ApplicationInfo.FLAG_ALLOW_BACKUP) == 0) {
782            return false;
783        }
784
785        // 2. they run as a system-level uid but do not supply their own backup agent
786        if ((app.uid < Process.FIRST_APPLICATION_UID) && (app.backupAgentName == null)) {
787            return false;
788        }
789
790        // 3. it is the special shared-storage backup package used for 'adb backup'
791        if (app.packageName.equals(BackupManagerService.SHARED_BACKUP_AGENT_PACKAGE)) {
792            return false;
793        }
794
795        // Everything else checks out; the only remaining roadblock would be if the
796        // package were disabled
797        return !appIsDisabled(app, pm);
798    }
799
800    // Checks if the app is in a stopped state.  This is not part of the general "eligible for
801    // backup?" check because we *do* still need to restore data to apps in this state (e.g.
802    // newly-installing ones)
803    private static boolean appIsStopped(ApplicationInfo app) {
804        return ((app.flags & ApplicationInfo.FLAG_STOPPED) != 0);
805    }
806
807    private static boolean appIsDisabled(ApplicationInfo app, PackageManager pm) {
808        switch (pm.getApplicationEnabledSetting(app.packageName)) {
809            case PackageManager.COMPONENT_ENABLED_STATE_DISABLED:
810            case PackageManager.COMPONENT_ENABLED_STATE_DISABLED_USER:
811            case PackageManager.COMPONENT_ENABLED_STATE_DISABLED_UNTIL_USED:
812                return true;
813
814            default:
815                return false;
816        }
817    }
818
819    /* does *not* check overall backup eligibility policy! */
820    private static boolean appGetsFullBackup(PackageInfo pkg) {
821        if (pkg.applicationInfo.backupAgentName != null) {
822            // If it has an agent, it gets full backups only if it says so
823            return (pkg.applicationInfo.flags & ApplicationInfo.FLAG_FULL_BACKUP_ONLY) != 0;
824        }
825
826        // No agent or fullBackupOnly="true" means we do indeed perform full-data backups for it
827        return true;
828    }
829
830    /* adb backup: is this app only capable of doing key/value?  We say otherwise if
831     * the app has a backup agent and does not say fullBackupOnly,
832     */
833    private static boolean appIsKeyValueOnly(PackageInfo pkg) {
834        return !appGetsFullBackup(pkg);
835    }
836
837    // ----- Asynchronous backup/restore handler thread -----
838
839    private class BackupHandler extends Handler {
840        public BackupHandler(Looper looper) {
841            super(looper);
842        }
843
844        public void handleMessage(Message msg) {
845
846            switch (msg.what) {
847            case MSG_RUN_BACKUP:
848            {
849                mLastBackupPass = System.currentTimeMillis();
850
851                IBackupTransport transport = mTransportManager.getCurrentTransportBinder();
852                if (transport == null) {
853                    Slog.v(TAG, "Backup requested but no transport available");
854                    synchronized (mQueueLock) {
855                        mBackupRunning = false;
856                    }
857                    mWakelock.release();
858                    break;
859                }
860
861                // snapshot the pending-backup set and work on that
862                ArrayList<BackupRequest> queue = new ArrayList<BackupRequest>();
863                File oldJournal = mJournal;
864                synchronized (mQueueLock) {
865                    // Do we have any work to do?  Construct the work queue
866                    // then release the synchronization lock to actually run
867                    // the backup.
868                    if (mPendingBackups.size() > 0) {
869                        for (BackupRequest b: mPendingBackups.values()) {
870                            queue.add(b);
871                        }
872                        if (DEBUG) Slog.v(TAG, "clearing pending backups");
873                        mPendingBackups.clear();
874
875                        // Start a new backup-queue journal file too
876                        mJournal = null;
877
878                    }
879                }
880
881                // At this point, we have started a new journal file, and the old
882                // file identity is being passed to the backup processing task.
883                // When it completes successfully, that old journal file will be
884                // deleted.  If we crash prior to that, the old journal is parsed
885                // at next boot and the journaled requests fulfilled.
886                boolean staged = true;
887                if (queue.size() > 0) {
888                    // Spin up a backup state sequence and set it running
889                    try {
890                        String dirName = transport.transportDirName();
891                        PerformBackupTask pbt = new PerformBackupTask(transport, dirName, queue,
892                                oldJournal, null, null, Collections.<String>emptyList(), false,
893                                false /* nonIncremental */);
894                        Message pbtMessage = obtainMessage(MSG_BACKUP_RESTORE_STEP, pbt);
895                        sendMessage(pbtMessage);
896                    } catch (Exception e) {
897                        // unable to ask the transport its dir name -- transient failure, since
898                        // the above check succeeded.  Try again next time.
899                        Slog.e(TAG, "Transport became unavailable attempting backup"
900                                + " or error initializing backup task", e);
901                        staged = false;
902                    }
903                } else {
904                    Slog.v(TAG, "Backup requested but nothing pending");
905                    staged = false;
906                }
907
908                if (!staged) {
909                    // if we didn't actually hand off the wakelock, rewind until next time
910                    synchronized (mQueueLock) {
911                        mBackupRunning = false;
912                    }
913                    mWakelock.release();
914                }
915                break;
916            }
917
918            case MSG_BACKUP_RESTORE_STEP:
919            {
920                try {
921                    BackupRestoreTask task = (BackupRestoreTask) msg.obj;
922                    if (MORE_DEBUG) Slog.v(TAG, "Got next step for " + task + ", executing");
923                    task.execute();
924                } catch (ClassCastException e) {
925                    Slog.e(TAG, "Invalid backup task in flight, obj=" + msg.obj);
926                }
927                break;
928            }
929
930            case MSG_OP_COMPLETE:
931            {
932                try {
933                    Pair<BackupRestoreTask, Long> taskWithResult =
934                            (Pair<BackupRestoreTask, Long>) msg.obj;
935                    taskWithResult.first.operationComplete(taskWithResult.second);
936                } catch (ClassCastException e) {
937                    Slog.e(TAG, "Invalid completion in flight, obj=" + msg.obj);
938                }
939                break;
940            }
941
942            case MSG_RUN_ADB_BACKUP:
943            {
944                // TODO: refactor full backup to be a looper-based state machine
945                // similar to normal backup/restore.
946                AdbBackupParams params = (AdbBackupParams)msg.obj;
947                PerformAdbBackupTask task = new PerformAdbBackupTask(params.fd,
948                        params.observer, params.includeApks, params.includeObbs,
949                        params.includeShared, params.doWidgets, params.curPassword,
950                        params.encryptPassword, params.allApps, params.includeSystem,
951                        params.doCompress, params.includeKeyValue, params.packages, params.latch);
952                (new Thread(task, "adb-backup")).start();
953                break;
954            }
955
956            case MSG_RUN_FULL_TRANSPORT_BACKUP:
957            {
958                PerformFullTransportBackupTask task = (PerformFullTransportBackupTask) msg.obj;
959                (new Thread(task, "transport-backup")).start();
960                break;
961            }
962
963            case MSG_RUN_RESTORE:
964            {
965                RestoreParams params = (RestoreParams)msg.obj;
966                Slog.d(TAG, "MSG_RUN_RESTORE observer=" + params.observer);
967
968                PerformUnifiedRestoreTask task = new PerformUnifiedRestoreTask(params.transport,
969                        params.observer, params.monitor, params.token, params.pkgInfo,
970                        params.pmToken, params.isSystemRestore, params.filterSet);
971
972                synchronized (mPendingRestores) {
973                    if (mIsRestoreInProgress) {
974                        if (DEBUG) {
975                            Slog.d(TAG, "Restore in progress, queueing.");
976                        }
977                        mPendingRestores.add(task);
978                        // This task will be picked up and executed when the the currently running
979                        // restore task finishes.
980                    } else {
981                        if (DEBUG) {
982                            Slog.d(TAG, "Starting restore.");
983                        }
984                        mIsRestoreInProgress = true;
985                        Message restoreMsg = obtainMessage(MSG_BACKUP_RESTORE_STEP, task);
986                        sendMessage(restoreMsg);
987                    }
988                }
989                break;
990            }
991
992            case MSG_RUN_ADB_RESTORE:
993            {
994                // TODO: refactor full restore to be a looper-based state machine
995                // similar to normal backup/restore.
996                AdbRestoreParams params = (AdbRestoreParams)msg.obj;
997                PerformAdbRestoreTask task = new PerformAdbRestoreTask(params.fd,
998                        params.curPassword, params.encryptPassword,
999                        params.observer, params.latch);
1000                (new Thread(task, "adb-restore")).start();
1001                break;
1002            }
1003
1004            case MSG_RUN_CLEAR:
1005            {
1006                ClearParams params = (ClearParams)msg.obj;
1007                (new PerformClearTask(params.transport, params.packageInfo)).run();
1008                break;
1009            }
1010
1011            case MSG_RETRY_CLEAR:
1012            {
1013                // reenqueues if the transport remains unavailable
1014                ClearRetryParams params = (ClearRetryParams)msg.obj;
1015                clearBackupData(params.transportName, params.packageName);
1016                break;
1017            }
1018
1019            case MSG_RUN_INITIALIZE:
1020            {
1021                HashSet<String> queue;
1022
1023                // Snapshot the pending-init queue and work on that
1024                synchronized (mQueueLock) {
1025                    queue = new HashSet<String>(mPendingInits);
1026                    mPendingInits.clear();
1027                }
1028
1029                (new PerformInitializeTask(queue)).run();
1030                break;
1031            }
1032
1033            case MSG_RETRY_INIT:
1034            {
1035                synchronized (mQueueLock) {
1036                    recordInitPendingLocked(msg.arg1 != 0, (String)msg.obj);
1037                    mAlarmManager.set(AlarmManager.RTC_WAKEUP, System.currentTimeMillis(),
1038                            mRunInitIntent);
1039                }
1040                break;
1041            }
1042
1043            case MSG_RUN_GET_RESTORE_SETS:
1044            {
1045                // Like other async operations, this is entered with the wakelock held
1046                RestoreSet[] sets = null;
1047                RestoreGetSetsParams params = (RestoreGetSetsParams)msg.obj;
1048                try {
1049                    sets = params.transport.getAvailableRestoreSets();
1050                    // cache the result in the active session
1051                    synchronized (params.session) {
1052                        params.session.mRestoreSets = sets;
1053                    }
1054                    if (sets == null) EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
1055                } catch (Exception e) {
1056                    Slog.e(TAG, "Error from transport getting set list: " + e.getMessage());
1057                } finally {
1058                    if (params.observer != null) {
1059                        try {
1060                            params.observer.restoreSetsAvailable(sets);
1061                        } catch (RemoteException re) {
1062                            Slog.e(TAG, "Unable to report listing to observer");
1063                        } catch (Exception e) {
1064                            Slog.e(TAG, "Restore observer threw: " + e.getMessage());
1065                        }
1066                    }
1067
1068                    // Done: reset the session timeout clock
1069                    removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
1070                    sendEmptyMessageDelayed(MSG_RESTORE_SESSION_TIMEOUT, TIMEOUT_RESTORE_INTERVAL);
1071
1072                    mWakelock.release();
1073                }
1074                break;
1075            }
1076
1077            case MSG_BACKUP_OPERATION_TIMEOUT:
1078            case MSG_RESTORE_OPERATION_TIMEOUT:
1079            {
1080                Slog.d(TAG, "Timeout message received for token=" + Integer.toHexString(msg.arg1));
1081                handleCancel(msg.arg1, false);
1082                break;
1083            }
1084
1085            case MSG_RESTORE_SESSION_TIMEOUT:
1086            {
1087                synchronized (BackupManagerService.this) {
1088                    if (mActiveRestoreSession != null) {
1089                        // Client app left the restore session dangling.  We know that it
1090                        // can't be in the middle of an actual restore operation because
1091                        // the timeout is suspended while a restore is in progress.  Clean
1092                        // up now.
1093                        Slog.w(TAG, "Restore session timed out; aborting");
1094                        mActiveRestoreSession.markTimedOut();
1095                        post(mActiveRestoreSession.new EndRestoreRunnable(
1096                                BackupManagerService.this, mActiveRestoreSession));
1097                    }
1098                }
1099                break;
1100            }
1101
1102            case MSG_FULL_CONFIRMATION_TIMEOUT:
1103            {
1104                synchronized (mAdbBackupRestoreConfirmations) {
1105                    AdbParams params = mAdbBackupRestoreConfirmations.get(msg.arg1);
1106                    if (params != null) {
1107                        Slog.i(TAG, "Full backup/restore timed out waiting for user confirmation");
1108
1109                        // Release the waiter; timeout == completion
1110                        signalAdbBackupRestoreCompletion(params);
1111
1112                        // Remove the token from the set
1113                        mAdbBackupRestoreConfirmations.delete(msg.arg1);
1114
1115                        // Report a timeout to the observer, if any
1116                        if (params.observer != null) {
1117                            try {
1118                                params.observer.onTimeout();
1119                            } catch (RemoteException e) {
1120                                /* don't care if the app has gone away */
1121                            }
1122                        }
1123                    } else {
1124                        Slog.d(TAG, "couldn't find params for token " + msg.arg1);
1125                    }
1126                }
1127                break;
1128            }
1129
1130            case MSG_WIDGET_BROADCAST:
1131            {
1132                final Intent intent = (Intent) msg.obj;
1133                mContext.sendBroadcastAsUser(intent, UserHandle.SYSTEM);
1134                break;
1135            }
1136
1137            case MSG_REQUEST_BACKUP:
1138            {
1139                BackupParams params = (BackupParams)msg.obj;
1140                if (MORE_DEBUG) {
1141                    Slog.d(TAG, "MSG_REQUEST_BACKUP observer=" + params.observer);
1142                }
1143                ArrayList<BackupRequest> kvQueue = new ArrayList<>();
1144                for (String packageName : params.kvPackages) {
1145                    kvQueue.add(new BackupRequest(packageName));
1146                }
1147                mBackupRunning = true;
1148                mWakelock.acquire();
1149
1150                PerformBackupTask pbt = new PerformBackupTask(params.transport, params.dirName,
1151                        kvQueue, null, params.observer, params.monitor, params.fullPackages, true,
1152                        params.nonIncrementalBackup);
1153                Message pbtMessage = obtainMessage(MSG_BACKUP_RESTORE_STEP, pbt);
1154                sendMessage(pbtMessage);
1155                break;
1156            }
1157
1158            case MSG_SCHEDULE_BACKUP_PACKAGE:
1159            {
1160                String pkgName = (String)msg.obj;
1161                if (MORE_DEBUG) {
1162                    Slog.d(TAG, "MSG_SCHEDULE_BACKUP_PACKAGE " + pkgName);
1163                }
1164                dataChangedImpl(pkgName);
1165                break;
1166            }
1167            }
1168        }
1169    }
1170
1171    // ----- Debug-only backup operation trace -----
1172    void addBackupTrace(String s) {
1173        if (DEBUG_BACKUP_TRACE) {
1174            synchronized (mBackupTrace) {
1175                mBackupTrace.add(s);
1176            }
1177        }
1178    }
1179
1180    void clearBackupTrace() {
1181        if (DEBUG_BACKUP_TRACE) {
1182            synchronized (mBackupTrace) {
1183                mBackupTrace.clear();
1184            }
1185        }
1186    }
1187
1188    // ----- Main service implementation -----
1189
1190    public BackupManagerService(Context context, Trampoline parent) {
1191        mContext = context;
1192        mPackageManager = context.getPackageManager();
1193        mPackageManagerBinder = AppGlobals.getPackageManager();
1194        mActivityManager = ActivityManager.getService();
1195
1196        mAlarmManager = (AlarmManager) context.getSystemService(Context.ALARM_SERVICE);
1197        mPowerManager = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
1198        mStorageManager = IStorageManager.Stub.asInterface(ServiceManager.getService("mount"));
1199
1200        mBackupManagerBinder = Trampoline.asInterface(parent.asBinder());
1201
1202        // spin up the backup/restore handler thread
1203        mHandlerThread = new HandlerThread("backup", Process.THREAD_PRIORITY_BACKGROUND);
1204        mHandlerThread.start();
1205        mBackupHandler = new BackupHandler(mHandlerThread.getLooper());
1206
1207        // Set up our bookkeeping
1208        final ContentResolver resolver = context.getContentResolver();
1209        mProvisioned = Settings.Global.getInt(resolver,
1210                Settings.Global.DEVICE_PROVISIONED, 0) != 0;
1211        mAutoRestore = Settings.Secure.getInt(resolver,
1212                Settings.Secure.BACKUP_AUTO_RESTORE, 1) != 0;
1213
1214        mProvisionedObserver = new ProvisionedObserver(mBackupHandler);
1215        resolver.registerContentObserver(
1216                Settings.Global.getUriFor(Settings.Global.DEVICE_PROVISIONED),
1217                false, mProvisionedObserver);
1218
1219        // If Encrypted file systems is enabled or disabled, this call will return the
1220        // correct directory.
1221        mBaseStateDir = new File(Environment.getDataDirectory(), "backup");
1222        mBaseStateDir.mkdirs();
1223        if (!SELinux.restorecon(mBaseStateDir)) {
1224            Slog.e(TAG, "SELinux restorecon failed on " + mBaseStateDir);
1225        }
1226
1227        // This dir on /cache is managed directly in init.rc
1228        mDataDir = new File(Environment.getDownloadCacheDirectory(), "backup_stage");
1229
1230        mPasswordVersion = 1;       // unless we hear otherwise
1231        mPasswordVersionFile = new File(mBaseStateDir, "pwversion");
1232        if (mPasswordVersionFile.exists()) {
1233            FileInputStream fin = null;
1234            DataInputStream in = null;
1235            try {
1236                fin = new FileInputStream(mPasswordVersionFile);
1237                in = new DataInputStream(fin);
1238                mPasswordVersion = in.readInt();
1239            } catch (IOException e) {
1240                Slog.e(TAG, "Unable to read backup pw version");
1241            } finally {
1242                try {
1243                    if (in != null) in.close();
1244                    if (fin != null) fin.close();
1245                } catch (IOException e) {
1246                    Slog.w(TAG, "Error closing pw version files");
1247                }
1248            }
1249        }
1250
1251        mPasswordHashFile = new File(mBaseStateDir, "pwhash");
1252        if (mPasswordHashFile.exists()) {
1253            FileInputStream fin = null;
1254            DataInputStream in = null;
1255            try {
1256                fin = new FileInputStream(mPasswordHashFile);
1257                in = new DataInputStream(new BufferedInputStream(fin));
1258                // integer length of the salt array, followed by the salt,
1259                // then the hex pw hash string
1260                int saltLen = in.readInt();
1261                byte[] salt = new byte[saltLen];
1262                in.readFully(salt);
1263                mPasswordHash = in.readUTF();
1264                mPasswordSalt = salt;
1265            } catch (IOException e) {
1266                Slog.e(TAG, "Unable to read saved backup pw hash");
1267            } finally {
1268                try {
1269                    if (in != null) in.close();
1270                    if (fin != null) fin.close();
1271                } catch (IOException e) {
1272                    Slog.w(TAG, "Unable to close streams");
1273                }
1274            }
1275        }
1276
1277        // Alarm receivers for scheduled backups & initialization operations
1278        mRunBackupReceiver = new RunBackupReceiver();
1279        IntentFilter filter = new IntentFilter();
1280        filter.addAction(RUN_BACKUP_ACTION);
1281        context.registerReceiver(mRunBackupReceiver, filter,
1282                android.Manifest.permission.BACKUP, null);
1283
1284        mRunInitReceiver = new RunInitializeReceiver();
1285        filter = new IntentFilter();
1286        filter.addAction(RUN_INITIALIZE_ACTION);
1287        context.registerReceiver(mRunInitReceiver, filter,
1288                android.Manifest.permission.BACKUP, null);
1289
1290        Intent backupIntent = new Intent(RUN_BACKUP_ACTION);
1291        backupIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
1292        mRunBackupIntent = PendingIntent.getBroadcast(context, MSG_RUN_BACKUP, backupIntent, 0);
1293
1294        Intent initIntent = new Intent(RUN_INITIALIZE_ACTION);
1295        backupIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
1296        mRunInitIntent = PendingIntent.getBroadcast(context, MSG_RUN_INITIALIZE, initIntent, 0);
1297
1298        // Set up the backup-request journaling
1299        mJournalDir = new File(mBaseStateDir, "pending");
1300        mJournalDir.mkdirs();   // creates mBaseStateDir along the way
1301        mJournal = null;        // will be created on first use
1302
1303        // Set up the various sorts of package tracking we do
1304        mFullBackupScheduleFile = new File(mBaseStateDir, "fb-schedule");
1305        initPackageTracking();
1306
1307        // Build our mapping of uid to backup client services.  This implicitly
1308        // schedules a backup pass on the Package Manager metadata the first
1309        // time anything needs to be backed up.
1310        synchronized (mBackupParticipants) {
1311            addPackageParticipantsLocked(null);
1312        }
1313
1314        // Set up our transport options and initialize the default transport
1315        // TODO: Don't create transports that we don't need to?
1316        SystemConfig systemConfig = SystemConfig.getInstance();
1317        Set<ComponentName> transportWhitelist = systemConfig.getBackupTransportWhitelist();
1318
1319        String transport = Settings.Secure.getString(context.getContentResolver(),
1320                Settings.Secure.BACKUP_TRANSPORT);
1321        if (TextUtils.isEmpty(transport)) {
1322            transport = null;
1323        }
1324        String currentTransport = transport;
1325        if (DEBUG) Slog.v(TAG, "Starting with transport " + currentTransport);
1326
1327        mTransportManager = new TransportManager(context, transportWhitelist, currentTransport,
1328                mTransportBoundListener, mHandlerThread.getLooper());
1329        mTransportManager.registerAllTransports();
1330
1331        // Now that we know about valid backup participants, parse any
1332        // leftover journal files into the pending backup set
1333        mBackupHandler.post(() -> parseLeftoverJournals());
1334
1335        // Power management
1336        mWakelock = mPowerManager.newWakeLock(PowerManager.PARTIAL_WAKE_LOCK, "*backup*");
1337    }
1338
1339    private class RunBackupReceiver extends BroadcastReceiver {
1340        public void onReceive(Context context, Intent intent) {
1341            if (RUN_BACKUP_ACTION.equals(intent.getAction())) {
1342                synchronized (mQueueLock) {
1343                    if (mPendingInits.size() > 0) {
1344                        // If there are pending init operations, we process those
1345                        // and then settle into the usual periodic backup schedule.
1346                        if (MORE_DEBUG) Slog.v(TAG, "Init pending at scheduled backup");
1347                        try {
1348                            mAlarmManager.cancel(mRunInitIntent);
1349                            mRunInitIntent.send();
1350                        } catch (PendingIntent.CanceledException ce) {
1351                            Slog.e(TAG, "Run init intent cancelled");
1352                            // can't really do more than bail here
1353                        }
1354                    } else {
1355                        // Don't run backups now if we're disabled or not yet
1356                        // fully set up.
1357                        if (mEnabled && mProvisioned) {
1358                            if (!mBackupRunning) {
1359                                if (DEBUG) Slog.v(TAG, "Running a backup pass");
1360
1361                                // Acquire the wakelock and pass it to the backup thread.  it will
1362                                // be released once backup concludes.
1363                                mBackupRunning = true;
1364                                mWakelock.acquire();
1365
1366                                Message msg = mBackupHandler.obtainMessage(MSG_RUN_BACKUP);
1367                                mBackupHandler.sendMessage(msg);
1368                            } else {
1369                                Slog.i(TAG, "Backup time but one already running");
1370                            }
1371                        } else {
1372                            Slog.w(TAG, "Backup pass but e=" + mEnabled + " p=" + mProvisioned);
1373                        }
1374                    }
1375                }
1376            }
1377        }
1378    }
1379
1380    private class RunInitializeReceiver extends BroadcastReceiver {
1381        public void onReceive(Context context, Intent intent) {
1382            if (RUN_INITIALIZE_ACTION.equals(intent.getAction())) {
1383                synchronized (mQueueLock) {
1384                    if (DEBUG) Slog.v(TAG, "Running a device init");
1385
1386                    // Acquire the wakelock and pass it to the init thread.  it will
1387                    // be released once init concludes.
1388                    mWakelock.acquire();
1389
1390                    Message msg = mBackupHandler.obtainMessage(MSG_RUN_INITIALIZE);
1391                    mBackupHandler.sendMessage(msg);
1392                }
1393            }
1394        }
1395    }
1396
1397    private void initPackageTracking() {
1398        if (MORE_DEBUG) Slog.v(TAG, "` tracking");
1399
1400        // Remember our ancestral dataset
1401        mTokenFile = new File(mBaseStateDir, "ancestral");
1402        try {
1403            RandomAccessFile tf = new RandomAccessFile(mTokenFile, "r");
1404            int version = tf.readInt();
1405            if (version == CURRENT_ANCESTRAL_RECORD_VERSION) {
1406                mAncestralToken = tf.readLong();
1407                mCurrentToken = tf.readLong();
1408
1409                int numPackages = tf.readInt();
1410                if (numPackages >= 0) {
1411                    mAncestralPackages = new HashSet<String>();
1412                    for (int i = 0; i < numPackages; i++) {
1413                        String pkgName = tf.readUTF();
1414                        mAncestralPackages.add(pkgName);
1415                    }
1416                }
1417            }
1418            tf.close();
1419        } catch (FileNotFoundException fnf) {
1420            // Probably innocuous
1421            Slog.v(TAG, "No ancestral data");
1422        } catch (IOException e) {
1423            Slog.w(TAG, "Unable to read token file", e);
1424        }
1425
1426        // Keep a log of what apps we've ever backed up.  Because we might have
1427        // rebooted in the middle of an operation that was removing something from
1428        // this log, we sanity-check its contents here and reconstruct it.
1429        mEverStored = new File(mBaseStateDir, "processed");
1430        File tempProcessedFile = new File(mBaseStateDir, "processed.new");
1431
1432        // If we were in the middle of removing something from the ever-backed-up
1433        // file, there might be a transient "processed.new" file still present.
1434        // Ignore it -- we'll validate "processed" against the current package set.
1435        if (tempProcessedFile.exists()) {
1436            tempProcessedFile.delete();
1437        }
1438
1439        // If there are previous contents, parse them out then start a new
1440        // file to continue the recordkeeping.
1441        if (mEverStored.exists()) {
1442            RandomAccessFile temp = null;
1443            RandomAccessFile in = null;
1444
1445            try {
1446                temp = new RandomAccessFile(tempProcessedFile, "rws");
1447                in = new RandomAccessFile(mEverStored, "r");
1448
1449                // Loop until we hit EOF
1450                while (true) {
1451                    String pkg = in.readUTF();
1452                    try {
1453                        // is this package still present?
1454                        mPackageManager.getPackageInfo(pkg, 0);
1455                        // if we get here then yes it is; remember it
1456                        mEverStoredApps.add(pkg);
1457                        temp.writeUTF(pkg);
1458                        if (MORE_DEBUG) Slog.v(TAG, "   + " + pkg);
1459                    } catch (NameNotFoundException e) {
1460                        // nope, this package was uninstalled; don't include it
1461                        if (MORE_DEBUG) Slog.v(TAG, "   - " + pkg);
1462                    }
1463                }
1464            } catch (EOFException e) {
1465                // Once we've rewritten the backup history log, atomically replace the
1466                // old one with the new one then reopen the file for continuing use.
1467                if (!tempProcessedFile.renameTo(mEverStored)) {
1468                    Slog.e(TAG, "Error renaming " + tempProcessedFile + " to " + mEverStored);
1469                }
1470            } catch (IOException e) {
1471                Slog.e(TAG, "Error in processed file", e);
1472            } finally {
1473                try { if (temp != null) temp.close(); } catch (IOException e) {}
1474                try { if (in != null) in.close(); } catch (IOException e) {}
1475            }
1476        }
1477
1478        synchronized (mQueueLock) {
1479            // Resume the full-data backup queue
1480            mFullBackupQueue = readFullBackupSchedule();
1481        }
1482
1483        // Register for broadcasts about package install, etc., so we can
1484        // update the provider list.
1485        IntentFilter filter = new IntentFilter();
1486        filter.addAction(Intent.ACTION_PACKAGE_ADDED);
1487        filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
1488        filter.addAction(Intent.ACTION_PACKAGE_CHANGED);
1489        filter.addDataScheme("package");
1490        mContext.registerReceiver(mBroadcastReceiver, filter);
1491        // Register for events related to sdcard installation.
1492        IntentFilter sdFilter = new IntentFilter();
1493        sdFilter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
1494        sdFilter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE);
1495        mContext.registerReceiver(mBroadcastReceiver, sdFilter);
1496    }
1497
1498    private ArrayList<FullBackupEntry> readFullBackupSchedule() {
1499        boolean changed = false;
1500        ArrayList<FullBackupEntry> schedule = null;
1501        List<PackageInfo> apps =
1502                PackageManagerBackupAgent.getStorableApplications(mPackageManager);
1503
1504        if (mFullBackupScheduleFile.exists()) {
1505            FileInputStream fstream = null;
1506            BufferedInputStream bufStream = null;
1507            DataInputStream in = null;
1508            try {
1509                fstream = new FileInputStream(mFullBackupScheduleFile);
1510                bufStream = new BufferedInputStream(fstream);
1511                in = new DataInputStream(bufStream);
1512
1513                int version = in.readInt();
1514                if (version != SCHEDULE_FILE_VERSION) {
1515                    Slog.e(TAG, "Unknown backup schedule version " + version);
1516                    return null;
1517                }
1518
1519                final int N = in.readInt();
1520                schedule = new ArrayList<FullBackupEntry>(N);
1521
1522                // HashSet instead of ArraySet specifically because we want the eventual
1523                // lookups against O(hundreds) of entries to be as fast as possible, and
1524                // we discard the set immediately after the scan so the extra memory
1525                // overhead is transient.
1526                HashSet<String> foundApps = new HashSet<String>(N);
1527
1528                for (int i = 0; i < N; i++) {
1529                    String pkgName = in.readUTF();
1530                    long lastBackup = in.readLong();
1531                    foundApps.add(pkgName); // all apps that we've addressed already
1532                    try {
1533                        PackageInfo pkg = mPackageManager.getPackageInfo(pkgName, 0);
1534                        if (appGetsFullBackup(pkg)
1535                                && appIsEligibleForBackup(pkg.applicationInfo, mPackageManager)) {
1536                            schedule.add(new FullBackupEntry(pkgName, lastBackup));
1537                        } else {
1538                            if (DEBUG) {
1539                                Slog.i(TAG, "Package " + pkgName
1540                                        + " no longer eligible for full backup");
1541                            }
1542                        }
1543                    } catch (NameNotFoundException e) {
1544                        if (DEBUG) {
1545                            Slog.i(TAG, "Package " + pkgName
1546                                    + " not installed; dropping from full backup");
1547                        }
1548                    }
1549                }
1550
1551                // New apps can arrive "out of band" via OTA and similar, so we also need to
1552                // scan to make sure that we're tracking all full-backup candidates properly
1553                for (PackageInfo app : apps) {
1554                    if (appGetsFullBackup(app)
1555                            && appIsEligibleForBackup(app.applicationInfo, mPackageManager)) {
1556                        if (!foundApps.contains(app.packageName)) {
1557                            if (MORE_DEBUG) {
1558                                Slog.i(TAG, "New full backup app " + app.packageName + " found");
1559                            }
1560                            schedule.add(new FullBackupEntry(app.packageName, 0));
1561                            changed = true;
1562                        }
1563                    }
1564                }
1565
1566                Collections.sort(schedule);
1567            } catch (Exception e) {
1568                Slog.e(TAG, "Unable to read backup schedule", e);
1569                mFullBackupScheduleFile.delete();
1570                schedule = null;
1571            } finally {
1572                IoUtils.closeQuietly(in);
1573                IoUtils.closeQuietly(bufStream);
1574                IoUtils.closeQuietly(fstream);
1575            }
1576        }
1577
1578        if (schedule == null) {
1579            // no prior queue record, or unable to read it.  Set up the queue
1580            // from scratch.
1581            changed = true;
1582            schedule = new ArrayList<FullBackupEntry>(apps.size());
1583            for (PackageInfo info : apps) {
1584                if (appGetsFullBackup(info)
1585                        && appIsEligibleForBackup(info.applicationInfo, mPackageManager)) {
1586                    schedule.add(new FullBackupEntry(info.packageName, 0));
1587                }
1588            }
1589        }
1590
1591        if (changed) {
1592            writeFullBackupScheduleAsync();
1593        }
1594        return schedule;
1595    }
1596
1597    Runnable mFullBackupScheduleWriter = new Runnable() {
1598        @Override public void run() {
1599            synchronized (mQueueLock) {
1600                try {
1601                    ByteArrayOutputStream bufStream = new ByteArrayOutputStream(4096);
1602                    DataOutputStream bufOut = new DataOutputStream(bufStream);
1603                    bufOut.writeInt(SCHEDULE_FILE_VERSION);
1604
1605                    // version 1:
1606                    //
1607                    // [int] # of packages in the queue = N
1608                    // N * {
1609                    //     [utf8] package name
1610                    //     [long] last backup time for this package
1611                    //     }
1612                    int N = mFullBackupQueue.size();
1613                    bufOut.writeInt(N);
1614
1615                    for (int i = 0; i < N; i++) {
1616                        FullBackupEntry entry = mFullBackupQueue.get(i);
1617                        bufOut.writeUTF(entry.packageName);
1618                        bufOut.writeLong(entry.lastBackup);
1619                    }
1620                    bufOut.flush();
1621
1622                    AtomicFile af = new AtomicFile(mFullBackupScheduleFile);
1623                    FileOutputStream out = af.startWrite();
1624                    out.write(bufStream.toByteArray());
1625                    af.finishWrite(out);
1626                } catch (Exception e) {
1627                    Slog.e(TAG, "Unable to write backup schedule!", e);
1628                }
1629            }
1630        }
1631    };
1632
1633    private void writeFullBackupScheduleAsync() {
1634        mBackupHandler.removeCallbacks(mFullBackupScheduleWriter);
1635        mBackupHandler.post(mFullBackupScheduleWriter);
1636    }
1637
1638    private void parseLeftoverJournals() {
1639        for (File f : mJournalDir.listFiles()) {
1640            if (mJournal == null || f.compareTo(mJournal) != 0) {
1641                // This isn't the current journal, so it must be a leftover.  Read
1642                // out the package names mentioned there and schedule them for
1643                // backup.
1644                DataInputStream in = null;
1645                try {
1646                    Slog.i(TAG, "Found stale backup journal, scheduling");
1647                    // Journals will tend to be on the order of a few kilobytes(around 4k), hence,
1648                    // setting the buffer size to 8192.
1649                    InputStream bufferedInputStream = new BufferedInputStream(
1650                            new FileInputStream(f), 8192);
1651                    in = new DataInputStream(bufferedInputStream);
1652                    while (true) {
1653                        String packageName = in.readUTF();
1654                        if (MORE_DEBUG) Slog.i(TAG, "  " + packageName);
1655                        dataChangedImpl(packageName);
1656                    }
1657                } catch (EOFException e) {
1658                    // no more data; we're done
1659                } catch (Exception e) {
1660                    Slog.e(TAG, "Can't read " + f, e);
1661                } finally {
1662                    // close/delete the file
1663                    try { if (in != null) in.close(); } catch (IOException e) {}
1664                    f.delete();
1665                }
1666            }
1667        }
1668    }
1669
1670    private SecretKey buildPasswordKey(String algorithm, String pw, byte[] salt, int rounds) {
1671        return buildCharArrayKey(algorithm, pw.toCharArray(), salt, rounds);
1672    }
1673
1674    private SecretKey buildCharArrayKey(String algorithm, char[] pwArray, byte[] salt, int rounds) {
1675        try {
1676            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm);
1677            KeySpec ks = new PBEKeySpec(pwArray, salt, rounds, PBKDF2_KEY_SIZE);
1678            return keyFactory.generateSecret(ks);
1679        } catch (InvalidKeySpecException e) {
1680            Slog.e(TAG, "Invalid key spec for PBKDF2!");
1681        } catch (NoSuchAlgorithmException e) {
1682            Slog.e(TAG, "PBKDF2 unavailable!");
1683        }
1684        return null;
1685    }
1686
1687    private String buildPasswordHash(String algorithm, String pw, byte[] salt, int rounds) {
1688        SecretKey key = buildPasswordKey(algorithm, pw, salt, rounds);
1689        if (key != null) {
1690            return byteArrayToHex(key.getEncoded());
1691        }
1692        return null;
1693    }
1694
1695    private String byteArrayToHex(byte[] data) {
1696        StringBuilder buf = new StringBuilder(data.length * 2);
1697        for (int i = 0; i < data.length; i++) {
1698            buf.append(Byte.toHexString(data[i], true));
1699        }
1700        return buf.toString();
1701    }
1702
1703    private byte[] hexToByteArray(String digits) {
1704        final int bytes = digits.length() / 2;
1705        if (2*bytes != digits.length()) {
1706            throw new IllegalArgumentException("Hex string must have an even number of digits");
1707        }
1708
1709        byte[] result = new byte[bytes];
1710        for (int i = 0; i < digits.length(); i += 2) {
1711            result[i/2] = (byte) Integer.parseInt(digits.substring(i, i+2), 16);
1712        }
1713        return result;
1714    }
1715
1716    private byte[] makeKeyChecksum(String algorithm, byte[] pwBytes, byte[] salt, int rounds) {
1717        char[] mkAsChar = new char[pwBytes.length];
1718        for (int i = 0; i < pwBytes.length; i++) {
1719            mkAsChar[i] = (char) pwBytes[i];
1720        }
1721
1722        Key checksum = buildCharArrayKey(algorithm, mkAsChar, salt, rounds);
1723        return checksum.getEncoded();
1724    }
1725
1726    // Used for generating random salts or passwords
1727    private byte[] randomBytes(int bits) {
1728        byte[] array = new byte[bits / 8];
1729        mRng.nextBytes(array);
1730        return array;
1731    }
1732
1733    boolean passwordMatchesSaved(String algorithm, String candidatePw, int rounds) {
1734        if (mPasswordHash == null) {
1735            // no current password case -- require that 'currentPw' be null or empty
1736            if (candidatePw == null || "".equals(candidatePw)) {
1737                return true;
1738            } // else the non-empty candidate does not match the empty stored pw
1739        } else {
1740            // hash the stated current pw and compare to the stored one
1741            if (candidatePw != null && candidatePw.length() > 0) {
1742                String currentPwHash = buildPasswordHash(algorithm, candidatePw, mPasswordSalt, rounds);
1743                if (mPasswordHash.equalsIgnoreCase(currentPwHash)) {
1744                    // candidate hash matches the stored hash -- the password matches
1745                    return true;
1746                }
1747            } // else the stored pw is nonempty but the candidate is empty; no match
1748        }
1749        return false;
1750    }
1751
1752    @Override
1753    public boolean setBackupPassword(String currentPw, String newPw) {
1754        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
1755                "setBackupPassword");
1756
1757        // When processing v1 passwords we may need to try two different PBKDF2 checksum regimes
1758        final boolean pbkdf2Fallback = (mPasswordVersion < BACKUP_PW_FILE_VERSION);
1759
1760        // If the supplied pw doesn't hash to the the saved one, fail.  The password
1761        // might be caught in the legacy crypto mismatch; verify that too.
1762        if (!passwordMatchesSaved(PBKDF_CURRENT, currentPw, PBKDF2_HASH_ROUNDS)
1763                && !(pbkdf2Fallback && passwordMatchesSaved(PBKDF_FALLBACK,
1764                        currentPw, PBKDF2_HASH_ROUNDS))) {
1765            return false;
1766        }
1767
1768        // Snap up to current on the pw file version
1769        mPasswordVersion = BACKUP_PW_FILE_VERSION;
1770        FileOutputStream pwFout = null;
1771        DataOutputStream pwOut = null;
1772        try {
1773            pwFout = new FileOutputStream(mPasswordVersionFile);
1774            pwOut = new DataOutputStream(pwFout);
1775            pwOut.writeInt(mPasswordVersion);
1776        } catch (IOException e) {
1777            Slog.e(TAG, "Unable to write backup pw version; password not changed");
1778            return false;
1779        } finally {
1780            try {
1781                if (pwOut != null) pwOut.close();
1782                if (pwFout != null) pwFout.close();
1783            } catch (IOException e) {
1784                Slog.w(TAG, "Unable to close pw version record");
1785            }
1786        }
1787
1788        // Clearing the password is okay
1789        if (newPw == null || newPw.isEmpty()) {
1790            if (mPasswordHashFile.exists()) {
1791                if (!mPasswordHashFile.delete()) {
1792                    // Unable to delete the old pw file, so fail
1793                    Slog.e(TAG, "Unable to clear backup password");
1794                    return false;
1795                }
1796            }
1797            mPasswordHash = null;
1798            mPasswordSalt = null;
1799            return true;
1800        }
1801
1802        try {
1803            // Okay, build the hash of the new backup password
1804            byte[] salt = randomBytes(PBKDF2_SALT_SIZE);
1805            String newPwHash = buildPasswordHash(PBKDF_CURRENT, newPw, salt, PBKDF2_HASH_ROUNDS);
1806
1807            OutputStream pwf = null, buffer = null;
1808            DataOutputStream out = null;
1809            try {
1810                pwf = new FileOutputStream(mPasswordHashFile);
1811                buffer = new BufferedOutputStream(pwf);
1812                out = new DataOutputStream(buffer);
1813                // integer length of the salt array, followed by the salt,
1814                // then the hex pw hash string
1815                out.writeInt(salt.length);
1816                out.write(salt);
1817                out.writeUTF(newPwHash);
1818                out.flush();
1819                mPasswordHash = newPwHash;
1820                mPasswordSalt = salt;
1821                return true;
1822            } finally {
1823                if (out != null) out.close();
1824                if (buffer != null) buffer.close();
1825                if (pwf != null) pwf.close();
1826            }
1827        } catch (IOException e) {
1828            Slog.e(TAG, "Unable to set backup password");
1829        }
1830        return false;
1831    }
1832
1833    @Override
1834    public boolean hasBackupPassword() {
1835        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
1836                "hasBackupPassword");
1837
1838        return mPasswordHash != null && mPasswordHash.length() > 0;
1839    }
1840
1841    private boolean backupPasswordMatches(String currentPw) {
1842        if (hasBackupPassword()) {
1843            final boolean pbkdf2Fallback = (mPasswordVersion < BACKUP_PW_FILE_VERSION);
1844            if (!passwordMatchesSaved(PBKDF_CURRENT, currentPw, PBKDF2_HASH_ROUNDS)
1845                    && !(pbkdf2Fallback && passwordMatchesSaved(PBKDF_FALLBACK,
1846                            currentPw, PBKDF2_HASH_ROUNDS))) {
1847                if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
1848                return false;
1849            }
1850        }
1851        return true;
1852    }
1853
1854    // Maintain persistent state around whether need to do an initialize operation.
1855    // Must be called with the queue lock held.
1856    void recordInitPendingLocked(boolean isPending, String transportName) {
1857        if (MORE_DEBUG) Slog.i(TAG, "recordInitPendingLocked: " + isPending
1858                + " on transport " + transportName);
1859        mBackupHandler.removeMessages(MSG_RETRY_INIT);
1860
1861        try {
1862            IBackupTransport transport = mTransportManager.getTransportBinder(transportName);
1863            if (transport != null) {
1864                String transportDirName = transport.transportDirName();
1865                File stateDir = new File(mBaseStateDir, transportDirName);
1866                File initPendingFile = new File(stateDir, INIT_SENTINEL_FILE_NAME);
1867
1868                if (isPending) {
1869                    // We need an init before we can proceed with sending backup data.
1870                    // Record that with an entry in our set of pending inits, as well as
1871                    // journaling it via creation of a sentinel file.
1872                    mPendingInits.add(transportName);
1873                    try {
1874                        (new FileOutputStream(initPendingFile)).close();
1875                    } catch (IOException ioe) {
1876                        // Something is badly wrong with our permissions; just try to move on
1877                    }
1878                } else {
1879                    // No more initialization needed; wipe the journal and reset our state.
1880                    initPendingFile.delete();
1881                    mPendingInits.remove(transportName);
1882                }
1883                return; // done; don't fall through to the error case
1884            }
1885        } catch (Exception e) {
1886            // transport threw when asked its name; fall through to the lookup-failed case
1887            Slog.e(TAG, "Transport " + transportName + " failed to report name: "
1888                    + e.getMessage());
1889        }
1890
1891        // The named transport doesn't exist or threw.  This operation is
1892        // important, so we record the need for a an init and post a message
1893        // to retry the init later.
1894        if (isPending) {
1895            mPendingInits.add(transportName);
1896            mBackupHandler.sendMessageDelayed(
1897                    mBackupHandler.obtainMessage(MSG_RETRY_INIT,
1898                            (isPending ? 1 : 0),
1899                            0,
1900                            transportName),
1901                    TRANSPORT_RETRY_INTERVAL);
1902        }
1903    }
1904
1905    // Reset all of our bookkeeping, in response to having been told that
1906    // the backend data has been wiped [due to idle expiry, for example],
1907    // so we must re-upload all saved settings.
1908    void resetBackupState(File stateFileDir) {
1909        synchronized (mQueueLock) {
1910            // Wipe the "what we've ever backed up" tracking
1911            mEverStoredApps.clear();
1912            mEverStored.delete();
1913
1914            mCurrentToken = 0;
1915            writeRestoreTokens();
1916
1917            // Remove all the state files
1918            for (File sf : stateFileDir.listFiles()) {
1919                // ... but don't touch the needs-init sentinel
1920                if (!sf.getName().equals(INIT_SENTINEL_FILE_NAME)) {
1921                    sf.delete();
1922                }
1923            }
1924        }
1925
1926        // Enqueue a new backup of every participant
1927        synchronized (mBackupParticipants) {
1928            final int N = mBackupParticipants.size();
1929            for (int i=0; i<N; i++) {
1930                HashSet<String> participants = mBackupParticipants.valueAt(i);
1931                if (participants != null) {
1932                    for (String packageName : participants) {
1933                        dataChangedImpl(packageName);
1934                    }
1935                }
1936            }
1937        }
1938    }
1939
1940    private TransportManager.TransportBoundListener mTransportBoundListener =
1941            new TransportManager.TransportBoundListener() {
1942        @Override
1943        public boolean onTransportBound(IBackupTransport transport) {
1944            // If the init sentinel file exists, we need to be sure to perform the init
1945            // as soon as practical.  We also create the state directory at registration
1946            // time to ensure it's present from the outset.
1947            String name = null;
1948            try {
1949                name = transport.name();
1950                String transportDirName = transport.transportDirName();
1951                File stateDir = new File(mBaseStateDir, transportDirName);
1952                stateDir.mkdirs();
1953
1954                File initSentinel = new File(stateDir, INIT_SENTINEL_FILE_NAME);
1955                if (initSentinel.exists()) {
1956                    synchronized (mQueueLock) {
1957                        mPendingInits.add(name);
1958
1959                        // TODO: pick a better starting time than now + 1 minute
1960                        long delay = 1000 * 60; // one minute, in milliseconds
1961                        mAlarmManager.set(AlarmManager.RTC_WAKEUP,
1962                                System.currentTimeMillis() + delay, mRunInitIntent);
1963                    }
1964                }
1965                return true;
1966            } catch (Exception e) {
1967                // the transport threw when asked its file naming prefs; declare it invalid
1968                Slog.w(TAG, "Failed to regiser transport: " + name);
1969                return false;
1970            }
1971        }
1972    };
1973
1974    // ----- Track installation/removal of packages -----
1975    BroadcastReceiver mBroadcastReceiver = new BroadcastReceiver() {
1976        public void onReceive(Context context, Intent intent) {
1977            if (MORE_DEBUG) Slog.d(TAG, "Received broadcast " + intent);
1978
1979            String action = intent.getAction();
1980            boolean replacing = false;
1981            boolean added = false;
1982            boolean changed = false;
1983            Bundle extras = intent.getExtras();
1984            String pkgList[] = null;
1985            if (Intent.ACTION_PACKAGE_ADDED.equals(action) ||
1986                    Intent.ACTION_PACKAGE_REMOVED.equals(action) ||
1987                    Intent.ACTION_PACKAGE_CHANGED.equals(action)) {
1988                Uri uri = intent.getData();
1989                if (uri == null) {
1990                    return;
1991                }
1992                String pkgName = uri.getSchemeSpecificPart();
1993                if (pkgName != null) {
1994                    pkgList = new String[] { pkgName };
1995                }
1996                changed = Intent.ACTION_PACKAGE_CHANGED.equals(action);
1997
1998                // At package-changed we only care about looking at new transport states
1999                if (changed) {
2000                    String[] components =
2001                            intent.getStringArrayExtra(Intent.EXTRA_CHANGED_COMPONENT_NAME_LIST);
2002
2003                    if (MORE_DEBUG) {
2004                        Slog.i(TAG, "Package " + pkgName + " changed; rechecking");
2005                        for (int i = 0; i < components.length; i++) {
2006                            Slog.i(TAG, "   * " + components[i]);
2007                        }
2008                    }
2009
2010                    mTransportManager.onPackageChanged(pkgName, components);
2011                    return; // nothing more to do in the PACKAGE_CHANGED case
2012                }
2013
2014                added = Intent.ACTION_PACKAGE_ADDED.equals(action);
2015                replacing = extras.getBoolean(Intent.EXTRA_REPLACING, false);
2016            } else if (Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE.equals(action)) {
2017                added = true;
2018                pkgList = intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);
2019            } else if (Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE.equals(action)) {
2020                added = false;
2021                pkgList = intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);
2022            }
2023
2024            if (pkgList == null || pkgList.length == 0) {
2025                return;
2026            }
2027
2028            final int uid = extras.getInt(Intent.EXTRA_UID);
2029            if (added) {
2030                synchronized (mBackupParticipants) {
2031                    if (replacing) {
2032                        // This is the package-replaced case; we just remove the entry
2033                        // under the old uid and fall through to re-add.  If an app
2034                        // just added key/value backup participation, this picks it up
2035                        // as a known participant.
2036                        removePackageParticipantsLocked(pkgList, uid);
2037                    }
2038                    addPackageParticipantsLocked(pkgList);
2039                }
2040                // If they're full-backup candidates, add them there instead
2041                final long now = System.currentTimeMillis();
2042                for (String packageName : pkgList) {
2043                    try {
2044                        PackageInfo app = mPackageManager.getPackageInfo(packageName, 0);
2045                        if (appGetsFullBackup(app)
2046                                && appIsEligibleForBackup(app.applicationInfo, mPackageManager)) {
2047                            enqueueFullBackup(packageName, now);
2048                            scheduleNextFullBackupJob(0);
2049                        } else {
2050                            // The app might have just transitioned out of full-data into
2051                            // doing key/value backups, or might have just disabled backups
2052                            // entirely.  Make sure it is no longer in the full-data queue.
2053                            synchronized (mQueueLock) {
2054                                dequeueFullBackupLocked(packageName);
2055                            }
2056                            writeFullBackupScheduleAsync();
2057                        }
2058
2059                        mTransportManager.onPackageAdded(packageName);
2060
2061                    } catch (NameNotFoundException e) {
2062                        // doesn't really exist; ignore it
2063                        if (DEBUG) {
2064                            Slog.w(TAG, "Can't resolve new app " + packageName);
2065                        }
2066                    }
2067                }
2068
2069                // Whenever a package is added or updated we need to update
2070                // the package metadata bookkeeping.
2071                dataChangedImpl(PACKAGE_MANAGER_SENTINEL);
2072            } else {
2073                if (replacing) {
2074                    // The package is being updated.  We'll receive a PACKAGE_ADDED shortly.
2075                } else {
2076                    // Outright removal.  In the full-data case, the app will be dropped
2077                    // from the queue when its (now obsolete) name comes up again for
2078                    // backup.
2079                    synchronized (mBackupParticipants) {
2080                        removePackageParticipantsLocked(pkgList, uid);
2081                    }
2082                }
2083                for (String pkgName : pkgList) {
2084                    mTransportManager.onPackageRemoved(pkgName);
2085                }
2086            }
2087        }
2088    };
2089
2090    // Add the backup agents in the given packages to our set of known backup participants.
2091    // If 'packageNames' is null, adds all backup agents in the whole system.
2092    void addPackageParticipantsLocked(String[] packageNames) {
2093        // Look for apps that define the android:backupAgent attribute
2094        List<PackageInfo> targetApps = allAgentPackages();
2095        if (packageNames != null) {
2096            if (MORE_DEBUG) Slog.v(TAG, "addPackageParticipantsLocked: #" + packageNames.length);
2097            for (String packageName : packageNames) {
2098                addPackageParticipantsLockedInner(packageName, targetApps);
2099            }
2100        } else {
2101            if (MORE_DEBUG) Slog.v(TAG, "addPackageParticipantsLocked: all");
2102            addPackageParticipantsLockedInner(null, targetApps);
2103        }
2104    }
2105
2106    private void addPackageParticipantsLockedInner(String packageName,
2107            List<PackageInfo> targetPkgs) {
2108        if (MORE_DEBUG) {
2109            Slog.v(TAG, "Examining " + packageName + " for backup agent");
2110        }
2111
2112        for (PackageInfo pkg : targetPkgs) {
2113            if (packageName == null || pkg.packageName.equals(packageName)) {
2114                int uid = pkg.applicationInfo.uid;
2115                HashSet<String> set = mBackupParticipants.get(uid);
2116                if (set == null) {
2117                    set = new HashSet<>();
2118                    mBackupParticipants.put(uid, set);
2119                }
2120                set.add(pkg.packageName);
2121                if (MORE_DEBUG) Slog.v(TAG, "Agent found; added");
2122
2123                // Schedule a backup for it on general principles
2124                if (MORE_DEBUG) Slog.i(TAG, "Scheduling backup for new app " + pkg.packageName);
2125                Message msg = mBackupHandler
2126                        .obtainMessage(MSG_SCHEDULE_BACKUP_PACKAGE, pkg.packageName);
2127                mBackupHandler.sendMessage(msg);
2128            }
2129        }
2130    }
2131
2132    // Remove the given packages' entries from our known active set.
2133    void removePackageParticipantsLocked(String[] packageNames, int oldUid) {
2134        if (packageNames == null) {
2135            Slog.w(TAG, "removePackageParticipants with null list");
2136            return;
2137        }
2138
2139        if (MORE_DEBUG) Slog.v(TAG, "removePackageParticipantsLocked: uid=" + oldUid
2140                + " #" + packageNames.length);
2141        for (String pkg : packageNames) {
2142            // Known previous UID, so we know which package set to check
2143            HashSet<String> set = mBackupParticipants.get(oldUid);
2144            if (set != null && set.contains(pkg)) {
2145                removePackageFromSetLocked(set, pkg);
2146                if (set.isEmpty()) {
2147                    if (MORE_DEBUG) Slog.v(TAG, "  last one of this uid; purging set");
2148                    mBackupParticipants.remove(oldUid);
2149                }
2150            }
2151        }
2152    }
2153
2154    private void removePackageFromSetLocked(final HashSet<String> set,
2155            final String packageName) {
2156        if (set.contains(packageName)) {
2157            // Found it.  Remove this one package from the bookkeeping, and
2158            // if it's the last participating app under this uid we drop the
2159            // (now-empty) set as well.
2160            // Note that we deliberately leave it 'known' in the "ever backed up"
2161            // bookkeeping so that its current-dataset data will be retrieved
2162            // if the app is subsequently reinstalled
2163            if (MORE_DEBUG) Slog.v(TAG, "  removing participant " + packageName);
2164            set.remove(packageName);
2165            mPendingBackups.remove(packageName);
2166        }
2167    }
2168
2169    // Returns the set of all applications that define an android:backupAgent attribute
2170    List<PackageInfo> allAgentPackages() {
2171        // !!! TODO: cache this and regenerate only when necessary
2172        int flags = PackageManager.GET_SIGNATURES;
2173        List<PackageInfo> packages = mPackageManager.getInstalledPackages(flags);
2174        int N = packages.size();
2175        for (int a = N-1; a >= 0; a--) {
2176            PackageInfo pkg = packages.get(a);
2177            try {
2178                ApplicationInfo app = pkg.applicationInfo;
2179                if (((app.flags&ApplicationInfo.FLAG_ALLOW_BACKUP) == 0)
2180                        || app.backupAgentName == null
2181                        || (app.flags&ApplicationInfo.FLAG_FULL_BACKUP_ONLY) != 0) {
2182                    packages.remove(a);
2183                }
2184                else {
2185                    // we will need the shared library path, so look that up and store it here.
2186                    // This is used implicitly when we pass the PackageInfo object off to
2187                    // the Activity Manager to launch the app for backup/restore purposes.
2188                    app = mPackageManager.getApplicationInfo(pkg.packageName,
2189                            PackageManager.GET_SHARED_LIBRARY_FILES);
2190                    pkg.applicationInfo.sharedLibraryFiles = app.sharedLibraryFiles;
2191                }
2192            } catch (NameNotFoundException e) {
2193                packages.remove(a);
2194            }
2195        }
2196        return packages;
2197    }
2198
2199    // Called from the backup tasks: record that the given app has been successfully
2200    // backed up at least once.  This includes both key/value and full-data backups
2201    // through the transport.
2202    void logBackupComplete(String packageName) {
2203        if (packageName.equals(PACKAGE_MANAGER_SENTINEL)) return;
2204
2205        synchronized (mEverStoredApps) {
2206            if (!mEverStoredApps.add(packageName)) return;
2207
2208            RandomAccessFile out = null;
2209            try {
2210                out = new RandomAccessFile(mEverStored, "rws");
2211                out.seek(out.length());
2212                out.writeUTF(packageName);
2213            } catch (IOException e) {
2214                Slog.e(TAG, "Can't log backup of " + packageName + " to " + mEverStored);
2215            } finally {
2216                try { if (out != null) out.close(); } catch (IOException e) {}
2217            }
2218        }
2219    }
2220
2221    // Remove our awareness of having ever backed up the given package
2222    void removeEverBackedUp(String packageName) {
2223        if (DEBUG) Slog.v(TAG, "Removing backed-up knowledge of " + packageName);
2224        if (MORE_DEBUG) Slog.v(TAG, "New set:");
2225
2226        synchronized (mEverStoredApps) {
2227            // Rewrite the file and rename to overwrite.  If we reboot in the middle,
2228            // we'll recognize on initialization time that the package no longer
2229            // exists and fix it up then.
2230            File tempKnownFile = new File(mBaseStateDir, "processed.new");
2231            RandomAccessFile known = null;
2232            try {
2233                known = new RandomAccessFile(tempKnownFile, "rws");
2234                mEverStoredApps.remove(packageName);
2235                for (String s : mEverStoredApps) {
2236                    known.writeUTF(s);
2237                    if (MORE_DEBUG) Slog.v(TAG, "    " + s);
2238                }
2239                known.close();
2240                known = null;
2241                if (!tempKnownFile.renameTo(mEverStored)) {
2242                    throw new IOException("Can't rename " + tempKnownFile + " to " + mEverStored);
2243                }
2244            } catch (IOException e) {
2245                // Bad: we couldn't create the new copy.  For safety's sake we
2246                // abandon the whole process and remove all what's-backed-up
2247                // state entirely, meaning we'll force a backup pass for every
2248                // participant on the next boot or [re]install.
2249                Slog.w(TAG, "Error rewriting " + mEverStored, e);
2250                mEverStoredApps.clear();
2251                tempKnownFile.delete();
2252                mEverStored.delete();
2253            } finally {
2254                try { if (known != null) known.close(); } catch (IOException e) {}
2255            }
2256        }
2257    }
2258
2259    // Persistently record the current and ancestral backup tokens as well
2260    // as the set of packages with data [supposedly] available in the
2261    // ancestral dataset.
2262    void writeRestoreTokens() {
2263        try {
2264            RandomAccessFile af = new RandomAccessFile(mTokenFile, "rwd");
2265
2266            // First, the version number of this record, for futureproofing
2267            af.writeInt(CURRENT_ANCESTRAL_RECORD_VERSION);
2268
2269            // Write the ancestral and current tokens
2270            af.writeLong(mAncestralToken);
2271            af.writeLong(mCurrentToken);
2272
2273            // Now write the set of ancestral packages
2274            if (mAncestralPackages == null) {
2275                af.writeInt(-1);
2276            } else {
2277                af.writeInt(mAncestralPackages.size());
2278                if (DEBUG) Slog.v(TAG, "Ancestral packages:  " + mAncestralPackages.size());
2279                for (String pkgName : mAncestralPackages) {
2280                    af.writeUTF(pkgName);
2281                    if (MORE_DEBUG) Slog.v(TAG, "   " + pkgName);
2282                }
2283            }
2284            af.close();
2285        } catch (IOException e) {
2286            Slog.w(TAG, "Unable to write token file:", e);
2287        }
2288    }
2289
2290    // What name is this transport registered under...?
2291    private String getTransportName(IBackupTransport transport) {
2292        if (MORE_DEBUG) {
2293            Slog.v(TAG, "Searching for transport name of " + transport);
2294        }
2295        return mTransportManager.getTransportName(transport);
2296    }
2297
2298    // fire off a backup agent, blocking until it attaches or times out
2299    @Override
2300    public IBackupAgent bindToAgentSynchronous(ApplicationInfo app, int mode) {
2301        IBackupAgent agent = null;
2302        synchronized(mAgentConnectLock) {
2303            mConnecting = true;
2304            mConnectedAgent = null;
2305            try {
2306                if (mActivityManager.bindBackupAgent(app.packageName, mode,
2307                        UserHandle.USER_OWNER)) {
2308                    Slog.d(TAG, "awaiting agent for " + app);
2309
2310                    // success; wait for the agent to arrive
2311                    // only wait 10 seconds for the bind to happen
2312                    long timeoutMark = System.currentTimeMillis() + TIMEOUT_INTERVAL;
2313                    while (mConnecting && mConnectedAgent == null
2314                            && (System.currentTimeMillis() < timeoutMark)) {
2315                        try {
2316                            mAgentConnectLock.wait(5000);
2317                        } catch (InterruptedException e) {
2318                            // just bail
2319                            Slog.w(TAG, "Interrupted: " + e);
2320                            mConnecting = false;
2321                            mConnectedAgent = null;
2322                        }
2323                    }
2324
2325                    // if we timed out with no connect, abort and move on
2326                    if (mConnecting == true) {
2327                        Slog.w(TAG, "Timeout waiting for agent " + app);
2328                        mConnectedAgent = null;
2329                    }
2330                    if (DEBUG) Slog.i(TAG, "got agent " + mConnectedAgent);
2331                    agent = mConnectedAgent;
2332                }
2333            } catch (RemoteException e) {
2334                // can't happen - ActivityManager is local
2335            }
2336        }
2337        if (agent == null) {
2338            try {
2339                mActivityManager.clearPendingBackup();
2340            } catch (RemoteException e) {
2341                // can't happen - ActivityManager is local
2342            }
2343        }
2344        return agent;
2345    }
2346
2347    // clear an application's data, blocking until the operation completes or times out
2348    void clearApplicationDataSynchronous(String packageName) {
2349        // Don't wipe packages marked allowClearUserData=false
2350        try {
2351            PackageInfo info = mPackageManager.getPackageInfo(packageName, 0);
2352            if ((info.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_CLEAR_USER_DATA) == 0) {
2353                if (MORE_DEBUG) Slog.i(TAG, "allowClearUserData=false so not wiping "
2354                        + packageName);
2355                return;
2356            }
2357        } catch (NameNotFoundException e) {
2358            Slog.w(TAG, "Tried to clear data for " + packageName + " but not found");
2359            return;
2360        }
2361
2362        ClearDataObserver observer = new ClearDataObserver();
2363
2364        synchronized(mClearDataLock) {
2365            mClearingData = true;
2366            try {
2367                mActivityManager.clearApplicationUserData(packageName, observer, 0);
2368            } catch (RemoteException e) {
2369                // can't happen because the activity manager is in this process
2370            }
2371
2372            // only wait 10 seconds for the clear data to happen
2373            long timeoutMark = System.currentTimeMillis() + TIMEOUT_INTERVAL;
2374            while (mClearingData && (System.currentTimeMillis() < timeoutMark)) {
2375                try {
2376                    mClearDataLock.wait(5000);
2377                } catch (InterruptedException e) {
2378                    // won't happen, but still.
2379                    mClearingData = false;
2380                }
2381            }
2382        }
2383    }
2384
2385    class ClearDataObserver extends IPackageDataObserver.Stub {
2386        public void onRemoveCompleted(String packageName, boolean succeeded) {
2387            synchronized(mClearDataLock) {
2388                mClearingData = false;
2389                mClearDataLock.notifyAll();
2390            }
2391        }
2392    }
2393
2394    // Get the restore-set token for the best-available restore set for this package:
2395    // the active set if possible, else the ancestral one.  Returns zero if none available.
2396    @Override
2397    public long getAvailableRestoreToken(String packageName) {
2398        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
2399                "getAvailableRestoreToken");
2400
2401        long token = mAncestralToken;
2402        synchronized (mQueueLock) {
2403            if (mCurrentToken != 0 && mEverStoredApps.contains(packageName)) {
2404                if (MORE_DEBUG) {
2405                    Slog.i(TAG, "App in ever-stored, so using current token");
2406                }
2407                token = mCurrentToken;
2408            }
2409        }
2410        if (MORE_DEBUG) Slog.i(TAG, "getAvailableRestoreToken() == " + token);
2411        return token;
2412    }
2413
2414    @Override
2415    public int requestBackup(String[] packages, IBackupObserver observer, int flags) {
2416        return requestBackup(packages, observer, null, flags);
2417    }
2418
2419    @Override
2420    public int requestBackup(String[] packages, IBackupObserver observer,
2421            IBackupManagerMonitor monitor, int flags) {
2422        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "requestBackup");
2423
2424        if (packages == null || packages.length < 1) {
2425            Slog.e(TAG, "No packages named for backup request");
2426            sendBackupFinished(observer, BackupManager.ERROR_TRANSPORT_ABORTED);
2427            monitor = monitorEvent(monitor, BackupManagerMonitor.LOG_EVENT_ID_NO_PACKAGES,
2428                    null, BackupManagerMonitor.LOG_EVENT_CATEGORY_TRANSPORT, null);
2429            throw new IllegalArgumentException("No packages are provided for backup");
2430        }
2431
2432        IBackupTransport transport = mTransportManager.getCurrentTransportBinder();
2433        if (transport == null) {
2434            sendBackupFinished(observer, BackupManager.ERROR_TRANSPORT_ABORTED);
2435            monitor = monitorEvent(monitor, BackupManagerMonitor.LOG_EVENT_ID_TRANSPORT_IS_NULL,
2436                    null, BackupManagerMonitor.LOG_EVENT_CATEGORY_TRANSPORT, null);
2437            return BackupManager.ERROR_TRANSPORT_ABORTED;
2438        }
2439
2440        ArrayList<String> fullBackupList = new ArrayList<>();
2441        ArrayList<String> kvBackupList = new ArrayList<>();
2442        for (String packageName : packages) {
2443            if (PACKAGE_MANAGER_SENTINEL.equals(packageName)) {
2444                kvBackupList.add(packageName);
2445                continue;
2446            }
2447            try {
2448                PackageInfo packageInfo = mPackageManager.getPackageInfo(packageName,
2449                        PackageManager.GET_SIGNATURES);
2450                if (!appIsEligibleForBackup(packageInfo.applicationInfo, mPackageManager)) {
2451                    sendBackupOnPackageResult(observer, packageName,
2452                            BackupManager.ERROR_BACKUP_NOT_ALLOWED);
2453                    continue;
2454                }
2455                if (appGetsFullBackup(packageInfo)) {
2456                    fullBackupList.add(packageInfo.packageName);
2457                } else {
2458                    kvBackupList.add(packageInfo.packageName);
2459                }
2460            } catch (NameNotFoundException e) {
2461                sendBackupOnPackageResult(observer, packageName,
2462                        BackupManager.ERROR_PACKAGE_NOT_FOUND);
2463            }
2464        }
2465        EventLog.writeEvent(EventLogTags.BACKUP_REQUESTED, packages.length, kvBackupList.size(),
2466                fullBackupList.size());
2467        if (MORE_DEBUG) {
2468            Slog.i(TAG, "Backup requested for " + packages.length + " packages, of them: " +
2469                fullBackupList.size() + " full backups, " + kvBackupList.size() + " k/v backups");
2470        }
2471
2472        String dirName;
2473        try {
2474            dirName = transport.transportDirName();
2475        } catch (Exception e) {
2476            Slog.e(TAG, "Transport unavailable while attempting backup: " + e.getMessage());
2477            sendBackupFinished(observer, BackupManager.ERROR_TRANSPORT_ABORTED);
2478            return BackupManager.ERROR_TRANSPORT_ABORTED;
2479        }
2480
2481        boolean nonIncrementalBackup = (flags & BackupManager.FLAG_NON_INCREMENTAL_BACKUP) != 0;
2482
2483        Message msg = mBackupHandler.obtainMessage(MSG_REQUEST_BACKUP);
2484        msg.obj = new BackupParams(transport, dirName, kvBackupList, fullBackupList, observer,
2485                monitor, true, nonIncrementalBackup);
2486        mBackupHandler.sendMessage(msg);
2487        return BackupManager.SUCCESS;
2488    }
2489
2490    // Cancel all running backups.
2491    @Override
2492    public void cancelBackups(){
2493        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "cancelBackups");
2494        if (MORE_DEBUG) {
2495            Slog.i(TAG, "cancelBackups() called.");
2496        }
2497        final long oldToken = Binder.clearCallingIdentity();
2498        try {
2499            List<Integer> operationsToCancel = new ArrayList<>();
2500            synchronized (mCurrentOpLock) {
2501                for (int i = 0; i < mCurrentOperations.size(); i++) {
2502                    Operation op = mCurrentOperations.valueAt(i);
2503                    int token = mCurrentOperations.keyAt(i);
2504                    if (op.type == OP_TYPE_BACKUP) {
2505                        operationsToCancel.add(token);
2506                    }
2507                }
2508            }
2509            for (Integer token : operationsToCancel) {
2510                handleCancel(token, true /* cancelAll */);
2511            }
2512            // We don't want the backup jobs to kick in any time soon.
2513            // Reschedules them to run in the distant future.
2514            KeyValueBackupJob.schedule(mContext, BUSY_BACKOFF_MIN_MILLIS);
2515            FullBackupJob.schedule(mContext, 2 * BUSY_BACKOFF_MIN_MILLIS);
2516        } finally {
2517            Binder.restoreCallingIdentity(oldToken);
2518        }
2519    }
2520
2521    @Override
2522    public void prepareOperationTimeout(int token, long interval, BackupRestoreTask callback,
2523        int operationType) {
2524        if (operationType != OP_TYPE_BACKUP_WAIT && operationType != OP_TYPE_RESTORE_WAIT) {
2525            Slog.wtf(TAG, "prepareOperationTimeout() doesn't support operation " +
2526                    Integer.toHexString(token) + " of type " + operationType);
2527            return;
2528        }
2529        if (MORE_DEBUG) Slog.v(TAG, "starting timeout: token=" + Integer.toHexString(token)
2530                + " interval=" + interval + " callback=" + callback);
2531
2532        synchronized (mCurrentOpLock) {
2533            mCurrentOperations.put(token, new Operation(OP_PENDING, callback, operationType));
2534            Message msg = mBackupHandler.obtainMessage(getMessageIdForOperationType(operationType),
2535                    token, 0, callback);
2536            mBackupHandler.sendMessageDelayed(msg, interval);
2537        }
2538    }
2539
2540    private int getMessageIdForOperationType(int operationType) {
2541        switch (operationType) {
2542            case OP_TYPE_BACKUP_WAIT:
2543                return MSG_BACKUP_OPERATION_TIMEOUT;
2544            case OP_TYPE_RESTORE_WAIT:
2545                return MSG_RESTORE_OPERATION_TIMEOUT;
2546            default:
2547                Slog.wtf(TAG, "getMessageIdForOperationType called on invalid operation type: " +
2548                        operationType);
2549                return -1;
2550        }
2551    }
2552
2553    private void removeOperation(int token) {
2554        if (MORE_DEBUG) {
2555            Slog.d(TAG, "Removing operation token=" + Integer.toHexString(token));
2556        }
2557        synchronized (mCurrentOpLock) {
2558            if (mCurrentOperations.get(token) == null) {
2559                Slog.w(TAG, "Duplicate remove for operation. token=" +
2560                        Integer.toHexString(token));
2561            }
2562            mCurrentOperations.remove(token);
2563        }
2564    }
2565
2566    // synchronous waiter case
2567    @Override
2568    public boolean waitUntilOperationComplete(int token) {
2569        if (MORE_DEBUG) Slog.i(TAG, "Blocking until operation complete for "
2570                + Integer.toHexString(token));
2571        int finalState = OP_PENDING;
2572        Operation op = null;
2573        synchronized (mCurrentOpLock) {
2574            while (true) {
2575                op = mCurrentOperations.get(token);
2576                if (op == null) {
2577                    // mysterious disappearance: treat as success with no callback
2578                    break;
2579                } else {
2580                    if (op.state == OP_PENDING) {
2581                        try {
2582                            mCurrentOpLock.wait();
2583                        } catch (InterruptedException e) {
2584                        }
2585                        // When the wait is notified we loop around and recheck the current state
2586                    } else {
2587                        if (MORE_DEBUG) {
2588                            Slog.d(TAG, "Unblocked waiting for operation token=" +
2589                                    Integer.toHexString(token));
2590                        }
2591                        // No longer pending; we're done
2592                        finalState = op.state;
2593                        break;
2594                    }
2595                }
2596            }
2597        }
2598
2599        removeOperation(token);
2600        if (op != null) {
2601            mBackupHandler.removeMessages(getMessageIdForOperationType(op.type));
2602        }
2603        if (MORE_DEBUG) Slog.v(TAG, "operation " + Integer.toHexString(token)
2604                + " complete: finalState=" + finalState);
2605        return finalState == OP_ACKNOWLEDGED;
2606    }
2607
2608    void handleCancel(int token, boolean cancelAll) {
2609        // Notify any synchronous waiters
2610        Operation op = null;
2611        synchronized (mCurrentOpLock) {
2612            op = mCurrentOperations.get(token);
2613            if (MORE_DEBUG) {
2614                if (op == null) Slog.w(TAG, "Cancel of token " + Integer.toHexString(token)
2615                        + " but no op found");
2616            }
2617            int state = (op != null) ? op.state : OP_TIMEOUT;
2618            if (state == OP_ACKNOWLEDGED) {
2619                // The operation finished cleanly, so we have nothing more to do.
2620                if (DEBUG) {
2621                    Slog.w(TAG, "Operation already got an ack." +
2622                            "Should have been removed from mCurrentOperations.");
2623                }
2624                op = null;
2625                mCurrentOperations.delete(token);
2626            } else if (state == OP_PENDING) {
2627                if (DEBUG) Slog.v(TAG, "Cancel: token=" + Integer.toHexString(token));
2628                op.state = OP_TIMEOUT;
2629                // Can't delete op from mCurrentOperations here. waitUntilOperationComplete may be
2630                // called after we receive cancel here. We need this op's state there.
2631
2632                // Remove all pending timeout messages of types OP_TYPE_BACKUP_WAIT and
2633                // OP_TYPE_RESTORE_WAIT. On the other hand, OP_TYPE_BACKUP cannot time out and
2634                // doesn't require cancellation.
2635                if (op.type == OP_TYPE_BACKUP_WAIT || op.type == OP_TYPE_RESTORE_WAIT) {
2636                    mBackupHandler.removeMessages(getMessageIdForOperationType(op.type));
2637                }
2638            }
2639            mCurrentOpLock.notifyAll();
2640        }
2641
2642        // If there's a TimeoutHandler for this event, call it
2643        if (op != null && op.callback != null) {
2644            if (MORE_DEBUG) {
2645                Slog.v(TAG, "   Invoking cancel on " + op.callback);
2646            }
2647            op.callback.handleCancel(cancelAll);
2648        }
2649    }
2650
2651    // ----- Back up a set of applications via a worker thread -----
2652
2653    enum BackupState {
2654        INITIAL,
2655        RUNNING_QUEUE,
2656        FINAL
2657    }
2658
2659    /**
2660     * This class handles the process of backing up a given list of key/value backup packages.
2661     * Also takes in a list of pending dolly backups and kicks them off when key/value backups
2662     * are done.
2663     *
2664     * Flow:
2665     * If required, backup @pm@.
2666     * For each pending key/value backup package:
2667     *     - Bind to agent.
2668     *     - Call agent.doBackup()
2669     *     - Wait either for cancel/timeout or operationComplete() callback from the agent.
2670     * Start task to perform dolly backups.
2671     *
2672     * There are three entry points into this class:
2673     *     - execute() [Called from the handler thread]
2674     *     - operationComplete(long result) [Called from the handler thread]
2675     *     - handleCancel(boolean cancelAll) [Can be called from any thread]
2676     * These methods synchronize on mCancelLock.
2677     *
2678     * Interaction with mCurrentOperations:
2679     *     - An entry for this task is put into mCurrentOperations for the entire lifetime of the
2680     *       task. This is useful to cancel the task if required.
2681     *     - An ephemeral entry is put into mCurrentOperations each time we are waiting on for
2682     *       response from a backup agent. This is used to plumb timeouts and completion callbacks.
2683     */
2684    class PerformBackupTask implements BackupRestoreTask {
2685        private static final String TAG = "PerformBackupTask";
2686
2687        private final Object mCancelLock = new Object();
2688
2689        IBackupTransport mTransport;
2690        ArrayList<BackupRequest> mQueue;
2691        ArrayList<BackupRequest> mOriginalQueue;
2692        File mStateDir;
2693        File mJournal;
2694        BackupState mCurrentState;
2695        List<String> mPendingFullBackups;
2696        IBackupObserver mObserver;
2697        IBackupManagerMonitor mMonitor;
2698
2699        private final PerformFullTransportBackupTask mFullBackupTask;
2700        private final int mCurrentOpToken;
2701        private volatile int mEphemeralOpToken;
2702
2703        // carried information about the current in-flight operation
2704        IBackupAgent mAgentBinder;
2705        PackageInfo mCurrentPackage;
2706        File mSavedStateName;
2707        File mBackupDataName;
2708        File mNewStateName;
2709        ParcelFileDescriptor mSavedState;
2710        ParcelFileDescriptor mBackupData;
2711        ParcelFileDescriptor mNewState;
2712        int mStatus;
2713        boolean mFinished;
2714        final boolean mUserInitiated;
2715        final boolean mNonIncremental;
2716
2717        private volatile boolean mCancelAll;
2718
2719        public PerformBackupTask(IBackupTransport transport, String dirName,
2720                ArrayList<BackupRequest> queue, File journal, IBackupObserver observer,
2721                IBackupManagerMonitor monitor, List<String> pendingFullBackups,
2722                boolean userInitiated, boolean nonIncremental) {
2723            mTransport = transport;
2724            mOriginalQueue = queue;
2725            mQueue = new ArrayList<>();
2726            mJournal = journal;
2727            mObserver = observer;
2728            mMonitor = monitor;
2729            mPendingFullBackups = pendingFullBackups;
2730            mUserInitiated = userInitiated;
2731            mNonIncremental = nonIncremental;
2732
2733            mStateDir = new File(mBaseStateDir, dirName);
2734            mCurrentOpToken = generateRandomIntegerToken();
2735
2736            mFinished = false;
2737
2738            synchronized (mCurrentOpLock) {
2739                if (isBackupOperationInProgress()) {
2740                    if (DEBUG) {
2741                        Slog.d(TAG, "Skipping backup since one is already in progress.");
2742                    }
2743                    mCancelAll = true;
2744                    mFullBackupTask = null;
2745                    mCurrentState = BackupState.FINAL;
2746                    addBackupTrace("Skipped. Backup already in progress.");
2747                } else {
2748                    mCurrentState = BackupState.INITIAL;
2749                    CountDownLatch latch = new CountDownLatch(1);
2750                    String[] fullBackups =
2751                            mPendingFullBackups.toArray(new String[mPendingFullBackups.size()]);
2752                    mFullBackupTask =
2753                            new PerformFullTransportBackupTask(/*fullBackupRestoreObserver*/ null,
2754                                    fullBackups, /*updateSchedule*/ false, /*runningJob*/ null,
2755                                    latch,
2756                                    mObserver, mMonitor, mUserInitiated);
2757
2758                    registerTask();
2759                    addBackupTrace("STATE => INITIAL");
2760                }
2761            }
2762        }
2763
2764        /**
2765         * Put this task in the repository of running tasks.
2766         */
2767        private void registerTask() {
2768            synchronized (mCurrentOpLock) {
2769                mCurrentOperations.put(mCurrentOpToken, new Operation(OP_PENDING, this,
2770                        OP_TYPE_BACKUP));
2771            }
2772        }
2773
2774        /**
2775         * Remove this task from repository of running tasks.
2776         */
2777        private void unregisterTask() {
2778            removeOperation(mCurrentOpToken);
2779        }
2780
2781        // Main entry point: perform one chunk of work, updating the state as appropriate
2782        // and reposting the next chunk to the primary backup handler thread.
2783        @Override
2784        @GuardedBy("mCancelLock")
2785        public void execute() {
2786            synchronized (mCancelLock) {
2787                switch (mCurrentState) {
2788                    case INITIAL:
2789                        beginBackup();
2790                        break;
2791
2792                    case RUNNING_QUEUE:
2793                        invokeNextAgent();
2794                        break;
2795
2796                    case FINAL:
2797                        if (!mFinished) finalizeBackup();
2798                        else {
2799                            Slog.e(TAG, "Duplicate finish");
2800                        }
2801                        mFinished = true;
2802                        break;
2803                }
2804            }
2805        }
2806
2807        // We're starting a backup pass.  Initialize the transport and send
2808        // the PM metadata blob if we haven't already.
2809        void beginBackup() {
2810            if (DEBUG_BACKUP_TRACE) {
2811                clearBackupTrace();
2812                StringBuilder b = new StringBuilder(256);
2813                b.append("beginBackup: [");
2814                for (BackupRequest req : mOriginalQueue) {
2815                    b.append(' ');
2816                    b.append(req.packageName);
2817                }
2818                b.append(" ]");
2819                addBackupTrace(b.toString());
2820            }
2821
2822            mAgentBinder = null;
2823            mStatus = BackupTransport.TRANSPORT_OK;
2824
2825            // Sanity check: if the queue is empty we have no work to do.
2826            if (mOriginalQueue.isEmpty() && mPendingFullBackups.isEmpty()) {
2827                Slog.w(TAG, "Backup begun with an empty queue - nothing to do.");
2828                addBackupTrace("queue empty at begin");
2829                sendBackupFinished(mObserver, BackupManager.SUCCESS);
2830                executeNextState(BackupState.FINAL);
2831                return;
2832            }
2833
2834            // We need to retain the original queue contents in case of transport
2835            // failure, but we want a working copy that we can manipulate along
2836            // the way.
2837            mQueue = (ArrayList<BackupRequest>) mOriginalQueue.clone();
2838
2839            // When the transport is forcing non-incremental key/value payloads, we send the
2840            // metadata only if it explicitly asks for it.
2841            boolean skipPm = mNonIncremental;
2842
2843            // The app metadata pseudopackage might also be represented in the
2844            // backup queue if apps have been added/removed since the last time
2845            // we performed a backup.  Drop it from the working queue now that
2846            // we're committed to evaluating it for backup regardless.
2847            for (int i = 0; i < mQueue.size(); i++) {
2848                if (PACKAGE_MANAGER_SENTINEL.equals(mQueue.get(i).packageName)) {
2849                    if (MORE_DEBUG) {
2850                        Slog.i(TAG, "Metadata in queue; eliding");
2851                    }
2852                    mQueue.remove(i);
2853                    skipPm = false;
2854                    break;
2855                }
2856            }
2857
2858            if (DEBUG) Slog.v(TAG, "Beginning backup of " + mQueue.size() + " targets");
2859
2860            File pmState = new File(mStateDir, PACKAGE_MANAGER_SENTINEL);
2861            try {
2862                final String transportName = mTransport.transportDirName();
2863                EventLog.writeEvent(EventLogTags.BACKUP_START, transportName);
2864
2865                // If we haven't stored package manager metadata yet, we must init the transport.
2866                if (mStatus == BackupTransport.TRANSPORT_OK && pmState.length() <= 0) {
2867                    Slog.i(TAG, "Initializing (wiping) backup state and transport storage");
2868                    addBackupTrace("initializing transport " + transportName);
2869                    resetBackupState(mStateDir);  // Just to make sure.
2870                    mStatus = mTransport.initializeDevice();
2871
2872                    addBackupTrace("transport.initializeDevice() == " + mStatus);
2873                    if (mStatus == BackupTransport.TRANSPORT_OK) {
2874                        EventLog.writeEvent(EventLogTags.BACKUP_INITIALIZE);
2875                    } else {
2876                        EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(initialize)");
2877                        Slog.e(TAG, "Transport error in initializeDevice()");
2878                    }
2879                }
2880
2881                if (skipPm) {
2882                    Slog.d(TAG, "Skipping backup of package metadata.");
2883                    executeNextState(BackupState.RUNNING_QUEUE);
2884                } else {
2885                    // The package manager doesn't have a proper <application> etc, but since
2886                    // it's running here in the system process we can just set up its agent
2887                    // directly and use a synthetic BackupRequest.  We always run this pass
2888                    // because it's cheap and this way we guarantee that we don't get out of
2889                    // step even if we're selecting among various transports at run time.
2890                    if (mStatus == BackupTransport.TRANSPORT_OK) {
2891                        PackageManagerBackupAgent pmAgent = new PackageManagerBackupAgent(
2892                                mPackageManager);
2893                        mStatus = invokeAgentForBackup(PACKAGE_MANAGER_SENTINEL,
2894                                IBackupAgent.Stub.asInterface(pmAgent.onBind()), mTransport);
2895                        addBackupTrace("PMBA invoke: " + mStatus);
2896
2897                        // Because the PMBA is a local instance, it has already executed its
2898                        // backup callback and returned.  Blow away the lingering (spurious)
2899                        // pending timeout message for it.
2900                        mBackupHandler.removeMessages(MSG_BACKUP_OPERATION_TIMEOUT);
2901                    }
2902                }
2903
2904                if (mStatus == BackupTransport.TRANSPORT_NOT_INITIALIZED) {
2905                    // The backend reports that our dataset has been wiped.  Note this in
2906                    // the event log; the no-success code below will reset the backup
2907                    // state as well.
2908                    EventLog.writeEvent(EventLogTags.BACKUP_RESET, mTransport.transportDirName());
2909                }
2910            } catch (Exception e) {
2911                Slog.e(TAG, "Error in backup thread", e);
2912                addBackupTrace("Exception in backup thread: " + e);
2913                mStatus = BackupTransport.TRANSPORT_ERROR;
2914            } finally {
2915                // If we've succeeded so far, invokeAgentForBackup() will have run the PM
2916                // metadata and its completion/timeout callback will continue the state
2917                // machine chain.  If it failed that won't happen; we handle that now.
2918                addBackupTrace("exiting prelim: " + mStatus);
2919                if (mStatus != BackupTransport.TRANSPORT_OK) {
2920                    // if things went wrong at this point, we need to
2921                    // restage everything and try again later.
2922                    resetBackupState(mStateDir);  // Just to make sure.
2923                    // In case of any other error, it's backup transport error.
2924                    sendBackupFinished(mObserver, BackupManager.ERROR_TRANSPORT_ABORTED);
2925                    executeNextState(BackupState.FINAL);
2926                }
2927            }
2928        }
2929
2930        // Transport has been initialized and the PM metadata submitted successfully
2931        // if that was warranted.  Now we process the single next thing in the queue.
2932        void invokeNextAgent() {
2933            mStatus = BackupTransport.TRANSPORT_OK;
2934            addBackupTrace("invoke q=" + mQueue.size());
2935
2936            // Sanity check that we have work to do.  If not, skip to the end where
2937            // we reestablish the wakelock invariants etc.
2938            if (mQueue.isEmpty()) {
2939                if (MORE_DEBUG) Slog.i(TAG, "queue now empty");
2940                executeNextState(BackupState.FINAL);
2941                return;
2942            }
2943
2944            // pop the entry we're going to process on this step
2945            BackupRequest request = mQueue.get(0);
2946            mQueue.remove(0);
2947
2948            Slog.d(TAG, "starting key/value backup of " + request);
2949            addBackupTrace("launch agent for " + request.packageName);
2950
2951            // Verify that the requested app exists; it might be something that
2952            // requested a backup but was then uninstalled.  The request was
2953            // journalled and rather than tamper with the journal it's safer
2954            // to sanity-check here.  This also gives us the classname of the
2955            // package's backup agent.
2956            try {
2957                mCurrentPackage = mPackageManager.getPackageInfo(request.packageName,
2958                        PackageManager.GET_SIGNATURES);
2959                if (!appIsEligibleForBackup(mCurrentPackage.applicationInfo, mPackageManager)) {
2960                    // The manifest has changed but we had a stale backup request pending.
2961                    // This won't happen again because the app won't be requesting further
2962                    // backups.
2963                    Slog.i(TAG, "Package " + request.packageName
2964                            + " no longer supports backup; skipping");
2965                    addBackupTrace("skipping - not eligible, completion is noop");
2966                    // Shouldn't happen in case of requested backup, as pre-check was done in
2967                    // #requestBackup(), except to app update done concurrently
2968                    sendBackupOnPackageResult(mObserver, mCurrentPackage.packageName,
2969                            BackupManager.ERROR_BACKUP_NOT_ALLOWED);
2970                    executeNextState(BackupState.RUNNING_QUEUE);
2971                    return;
2972                }
2973
2974                if (appGetsFullBackup(mCurrentPackage)) {
2975                    // It's possible that this app *formerly* was enqueued for key/value backup,
2976                    // but has since been updated and now only supports the full-data path.
2977                    // Don't proceed with a key/value backup for it in this case.
2978                    Slog.i(TAG, "Package " + request.packageName
2979                            + " requests full-data rather than key/value; skipping");
2980                    addBackupTrace("skipping - fullBackupOnly, completion is noop");
2981                    // Shouldn't happen in case of requested backup, as pre-check was done in
2982                    // #requestBackup()
2983                    sendBackupOnPackageResult(mObserver, mCurrentPackage.packageName,
2984                            BackupManager.ERROR_BACKUP_NOT_ALLOWED);
2985                    executeNextState(BackupState.RUNNING_QUEUE);
2986                    return;
2987                }
2988
2989                if (appIsStopped(mCurrentPackage.applicationInfo)) {
2990                    // The app has been force-stopped or cleared or just installed,
2991                    // and not yet launched out of that state, so just as it won't
2992                    // receive broadcasts, we won't run it for backup.
2993                    addBackupTrace("skipping - stopped");
2994                    sendBackupOnPackageResult(mObserver, mCurrentPackage.packageName,
2995                            BackupManager.ERROR_BACKUP_NOT_ALLOWED);
2996                    executeNextState(BackupState.RUNNING_QUEUE);
2997                    return;
2998                }
2999
3000                IBackupAgent agent = null;
3001                try {
3002                    mWakelock.setWorkSource(new WorkSource(mCurrentPackage.applicationInfo.uid));
3003                    agent = bindToAgentSynchronous(mCurrentPackage.applicationInfo,
3004                            ApplicationThreadConstants.BACKUP_MODE_INCREMENTAL);
3005                    addBackupTrace("agent bound; a? = " + (agent != null));
3006                    if (agent != null) {
3007                        mAgentBinder = agent;
3008                        mStatus = invokeAgentForBackup(request.packageName, agent, mTransport);
3009                        // at this point we'll either get a completion callback from the
3010                        // agent, or a timeout message on the main handler.  either way, we're
3011                        // done here as long as we're successful so far.
3012                    } else {
3013                        // Timeout waiting for the agent
3014                        mStatus = BackupTransport.AGENT_ERROR;
3015                    }
3016                } catch (SecurityException ex) {
3017                    // Try for the next one.
3018                    Slog.d(TAG, "error in bind/backup", ex);
3019                    mStatus = BackupTransport.AGENT_ERROR;
3020                            addBackupTrace("agent SE");
3021                }
3022            } catch (NameNotFoundException e) {
3023                Slog.d(TAG, "Package does not exist; skipping");
3024                addBackupTrace("no such package");
3025                mStatus = BackupTransport.AGENT_UNKNOWN;
3026            } finally {
3027                mWakelock.setWorkSource(null);
3028
3029                // If there was an agent error, no timeout/completion handling will occur.
3030                // That means we need to direct to the next state ourselves.
3031                if (mStatus != BackupTransport.TRANSPORT_OK) {
3032                    BackupState nextState = BackupState.RUNNING_QUEUE;
3033                    mAgentBinder = null;
3034
3035                    // An agent-level failure means we reenqueue this one agent for
3036                    // a later retry, but otherwise proceed normally.
3037                    if (mStatus == BackupTransport.AGENT_ERROR) {
3038                        if (MORE_DEBUG) Slog.i(TAG, "Agent failure for " + request.packageName
3039                                + " - restaging");
3040                        dataChangedImpl(request.packageName);
3041                        mStatus = BackupTransport.TRANSPORT_OK;
3042                        if (mQueue.isEmpty()) nextState = BackupState.FINAL;
3043                        sendBackupOnPackageResult(mObserver, mCurrentPackage.packageName,
3044                                BackupManager.ERROR_AGENT_FAILURE);
3045                    } else if (mStatus == BackupTransport.AGENT_UNKNOWN) {
3046                        // Failed lookup of the app, so we couldn't bring up an agent, but
3047                        // we're otherwise fine.  Just drop it and go on to the next as usual.
3048                        mStatus = BackupTransport.TRANSPORT_OK;
3049                        sendBackupOnPackageResult(mObserver, mCurrentPackage.packageName,
3050                                BackupManager.ERROR_PACKAGE_NOT_FOUND);
3051                    } else {
3052                        // Transport-level failure means we reenqueue everything
3053                        revertAndEndBackup();
3054                        nextState = BackupState.FINAL;
3055                    }
3056
3057                    executeNextState(nextState);
3058                } else {
3059                    // success case
3060                    addBackupTrace("expecting completion/timeout callback");
3061                }
3062            }
3063        }
3064
3065        void finalizeBackup() {
3066            addBackupTrace("finishing");
3067
3068            // Mark packages that we didn't backup (because backup was cancelled, etc.) as needing
3069            // backup.
3070            for (BackupRequest req : mQueue) {
3071                dataChangedImpl(req.packageName);
3072            }
3073
3074            // Either backup was successful, in which case we of course do not need
3075            // this pass's journal any more; or it failed, in which case we just
3076            // re-enqueued all of these packages in the current active journal.
3077            // Either way, we no longer need this pass's journal.
3078            if (mJournal != null && !mJournal.delete()) {
3079                Slog.e(TAG, "Unable to remove backup journal file " + mJournal);
3080            }
3081
3082            // If everything actually went through and this is the first time we've
3083            // done a backup, we can now record what the current backup dataset token
3084            // is.
3085            if ((mCurrentToken == 0) && (mStatus == BackupTransport.TRANSPORT_OK)) {
3086                addBackupTrace("success; recording token");
3087                try {
3088                    mCurrentToken = mTransport.getCurrentRestoreSet();
3089                    writeRestoreTokens();
3090                } catch (Exception e) {
3091                    // nothing for it at this point, unfortunately, but this will be
3092                    // recorded the next time we fully succeed.
3093                    Slog.e(TAG, "Transport threw reporting restore set: " + e.getMessage());
3094                    addBackupTrace("transport threw returning token");
3095                }
3096            }
3097
3098            // Set up the next backup pass - at this point we can set mBackupRunning
3099            // to false to allow another pass to fire, because we're done with the
3100            // state machine sequence and the wakelock is refcounted.
3101            synchronized (mQueueLock) {
3102                mBackupRunning = false;
3103                if (mStatus == BackupTransport.TRANSPORT_NOT_INITIALIZED) {
3104                    // Make sure we back up everything and perform the one-time init
3105                    if (MORE_DEBUG) Slog.d(TAG, "Server requires init; rerunning");
3106                    addBackupTrace("init required; rerunning");
3107                    try {
3108                        final String name = mTransportManager.getTransportName(mTransport);
3109                        if (name != null) {
3110                            mPendingInits.add(name);
3111                        } else {
3112                            if (DEBUG) {
3113                                Slog.w(TAG, "Couldn't find name of transport " + mTransport
3114                                        + " for init");
3115                            }
3116                        }
3117                    } catch (Exception e) {
3118                        Slog.w(TAG, "Failed to query transport name for init: " + e.getMessage());
3119                        // swallow it and proceed; we don't rely on this
3120                    }
3121                    clearMetadata();
3122                    backupNow();
3123                }
3124            }
3125
3126            clearBackupTrace();
3127
3128            unregisterTask();
3129
3130            if (!mCancelAll && mStatus == BackupTransport.TRANSPORT_OK &&
3131                    mPendingFullBackups != null && !mPendingFullBackups.isEmpty()) {
3132                Slog.d(TAG, "Starting full backups for: " + mPendingFullBackups);
3133                // Acquiring wakelock for PerformFullTransportBackupTask before its start.
3134                mWakelock.acquire();
3135                (new Thread(mFullBackupTask, "full-transport-requested")).start();
3136            } else if (mCancelAll) {
3137                if (mFullBackupTask != null) {
3138                    mFullBackupTask.unregisterTask();
3139                }
3140                sendBackupFinished(mObserver, BackupManager.ERROR_BACKUP_CANCELLED);
3141            } else {
3142                mFullBackupTask.unregisterTask();
3143                switch (mStatus) {
3144                    case BackupTransport.TRANSPORT_OK:
3145                        sendBackupFinished(mObserver, BackupManager.SUCCESS);
3146                        break;
3147                    case BackupTransport.TRANSPORT_NOT_INITIALIZED:
3148                        sendBackupFinished(mObserver, BackupManager.ERROR_TRANSPORT_ABORTED);
3149                        break;
3150                    case BackupTransport.TRANSPORT_ERROR:
3151                    default:
3152                        sendBackupFinished(mObserver, BackupManager.ERROR_TRANSPORT_ABORTED);
3153                        break;
3154                }
3155            }
3156            Slog.i(BackupManagerService.TAG, "K/V backup pass finished.");
3157            // Only once we're entirely finished do we release the wakelock for k/v backup.
3158            mWakelock.release();
3159        }
3160
3161        // Remove the PM metadata state. This will generate an init on the next pass.
3162        void clearMetadata() {
3163            final File pmState = new File(mStateDir, PACKAGE_MANAGER_SENTINEL);
3164            if (pmState.exists()) pmState.delete();
3165        }
3166
3167        // Invoke an agent's doBackup() and start a timeout message spinning on the main
3168        // handler in case it doesn't get back to us.
3169        int invokeAgentForBackup(String packageName, IBackupAgent agent,
3170                IBackupTransport transport) {
3171            if (DEBUG) Slog.d(TAG, "invokeAgentForBackup on " + packageName);
3172            addBackupTrace("invoking " + packageName);
3173
3174            File blankStateName = new File(mStateDir, "blank_state");
3175            mSavedStateName = new File(mStateDir, packageName);
3176            mBackupDataName = new File(mDataDir, packageName + ".data");
3177            mNewStateName = new File(mStateDir, packageName + ".new");
3178            if (MORE_DEBUG) Slog.d(TAG, "data file: " + mBackupDataName);
3179
3180            mSavedState = null;
3181            mBackupData = null;
3182            mNewState = null;
3183
3184            boolean callingAgent = false;
3185            mEphemeralOpToken = generateRandomIntegerToken();
3186            try {
3187                // Look up the package info & signatures.  This is first so that if it
3188                // throws an exception, there's no file setup yet that would need to
3189                // be unraveled.
3190                if (packageName.equals(PACKAGE_MANAGER_SENTINEL)) {
3191                    // The metadata 'package' is synthetic; construct one and make
3192                    // sure our global state is pointed at it
3193                    mCurrentPackage = new PackageInfo();
3194                    mCurrentPackage.packageName = packageName;
3195                }
3196
3197                // In a full backup, we pass a null ParcelFileDescriptor as
3198                // the saved-state "file". For key/value backups we pass the old state if
3199                // an incremental backup is required, and a blank state otherwise.
3200                mSavedState = ParcelFileDescriptor.open(
3201                        mNonIncremental ? blankStateName : mSavedStateName,
3202                        ParcelFileDescriptor.MODE_READ_ONLY |
3203                        ParcelFileDescriptor.MODE_CREATE);  // Make an empty file if necessary
3204
3205                mBackupData = ParcelFileDescriptor.open(mBackupDataName,
3206                        ParcelFileDescriptor.MODE_READ_WRITE |
3207                        ParcelFileDescriptor.MODE_CREATE |
3208                        ParcelFileDescriptor.MODE_TRUNCATE);
3209
3210                if (!SELinux.restorecon(mBackupDataName)) {
3211                    Slog.e(TAG, "SELinux restorecon failed on " + mBackupDataName);
3212                }
3213
3214                mNewState = ParcelFileDescriptor.open(mNewStateName,
3215                        ParcelFileDescriptor.MODE_READ_WRITE |
3216                        ParcelFileDescriptor.MODE_CREATE |
3217                        ParcelFileDescriptor.MODE_TRUNCATE);
3218
3219                final long quota = mTransport.getBackupQuota(packageName, false /* isFullBackup */);
3220                callingAgent = true;
3221
3222                // Initiate the target's backup pass
3223                addBackupTrace("setting timeout");
3224                prepareOperationTimeout(mEphemeralOpToken, TIMEOUT_BACKUP_INTERVAL, this,
3225                        OP_TYPE_BACKUP_WAIT);
3226                addBackupTrace("calling agent doBackup()");
3227
3228                agent.doBackup(mSavedState, mBackupData, mNewState, quota, mEphemeralOpToken,
3229                        mBackupManagerBinder);
3230            } catch (Exception e) {
3231                Slog.e(TAG, "Error invoking for backup on " + packageName + ". " + e);
3232                addBackupTrace("exception: " + e);
3233                EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, packageName,
3234                        e.toString());
3235                errorCleanup();
3236                return callingAgent ? BackupTransport.AGENT_ERROR
3237                        : BackupTransport.TRANSPORT_ERROR;
3238            } finally {
3239                if (mNonIncremental) {
3240                    blankStateName.delete();
3241                }
3242            }
3243
3244            // At this point the agent is off and running.  The next thing to happen will
3245            // either be a callback from the agent, at which point we'll process its data
3246            // for transport, or a timeout.  Either way the next phase will happen in
3247            // response to the TimeoutHandler interface callbacks.
3248            addBackupTrace("invoke success");
3249            return BackupTransport.TRANSPORT_OK;
3250        }
3251
3252        public void failAgent(IBackupAgent agent, String message) {
3253            try {
3254                agent.fail(message);
3255            } catch (Exception e) {
3256                Slog.w(TAG, "Error conveying failure to " + mCurrentPackage.packageName);
3257            }
3258        }
3259
3260        // SHA-1 a byte array and return the result in hex
3261        private String SHA1Checksum(byte[] input) {
3262            final byte[] checksum;
3263            try {
3264                MessageDigest md = MessageDigest.getInstance("SHA-1");
3265                checksum = md.digest(input);
3266            } catch (NoSuchAlgorithmException e) {
3267                Slog.e(TAG, "Unable to use SHA-1!");
3268                return "00";
3269            }
3270
3271            StringBuffer sb = new StringBuffer(checksum.length * 2);
3272            for (int i = 0; i < checksum.length; i++) {
3273                sb.append(Integer.toHexString(checksum[i]));
3274            }
3275            return sb.toString();
3276        }
3277
3278        private void writeWidgetPayloadIfAppropriate(FileDescriptor fd, String pkgName)
3279                throws IOException {
3280            // TODO: http://b/22388012
3281            byte[] widgetState = AppWidgetBackupBridge.getWidgetState(pkgName,
3282                    UserHandle.USER_SYSTEM);
3283            // has the widget state changed since last time?
3284            final File widgetFile = new File(mStateDir, pkgName + "_widget");
3285            final boolean priorStateExists = widgetFile.exists();
3286
3287            if (MORE_DEBUG) {
3288                if (priorStateExists || widgetState != null) {
3289                    Slog.i(TAG, "Checking widget update: state=" + (widgetState != null)
3290                            + " prior=" + priorStateExists);
3291                }
3292            }
3293
3294            if (!priorStateExists && widgetState == null) {
3295                // no prior state, no new state => nothing to do
3296                return;
3297            }
3298
3299            // if the new state is not null, we might need to compare checksums to
3300            // determine whether to update the widget blob in the archive.  If the
3301            // widget state *is* null, we know a priori at this point that we simply
3302            // need to commit a deletion for it.
3303            String newChecksum = null;
3304            if (widgetState != null) {
3305                newChecksum = SHA1Checksum(widgetState);
3306                if (priorStateExists) {
3307                    final String priorChecksum;
3308                    try (
3309                        FileInputStream fin = new FileInputStream(widgetFile);
3310                        DataInputStream in = new DataInputStream(fin)
3311                    ) {
3312                        priorChecksum = in.readUTF();
3313                    }
3314                    if (Objects.equals(newChecksum, priorChecksum)) {
3315                        // Same checksum => no state change => don't rewrite the widget data
3316                        return;
3317                    }
3318                }
3319            } // else widget state *became* empty, so we need to commit a deletion
3320
3321            BackupDataOutput out = new BackupDataOutput(fd);
3322            if (widgetState != null) {
3323                try (
3324                    FileOutputStream fout = new FileOutputStream(widgetFile);
3325                    DataOutputStream stateOut = new DataOutputStream(fout)
3326                ) {
3327                    stateOut.writeUTF(newChecksum);
3328                }
3329
3330                out.writeEntityHeader(KEY_WIDGET_STATE, widgetState.length);
3331                out.writeEntityData(widgetState, widgetState.length);
3332            } else {
3333                // Widget state for this app has been removed; commit a deletion
3334                out.writeEntityHeader(KEY_WIDGET_STATE, -1);
3335                widgetFile.delete();
3336            }
3337        }
3338
3339        @Override
3340        @GuardedBy("mCancelLock")
3341        public void operationComplete(long unusedResult) {
3342            removeOperation(mEphemeralOpToken);
3343            synchronized (mCancelLock) {
3344                // The agent reported back to us!
3345                if (mFinished) {
3346                    Slog.d(TAG, "operationComplete received after task finished.");
3347                    return;
3348                }
3349
3350                if (mBackupData == null) {
3351                    // This callback was racing with our timeout, so we've cleaned up the
3352                    // agent state already and are on to the next thing.  We have nothing
3353                    // further to do here: agent state having been cleared means that we've
3354                    // initiated the appropriate next operation.
3355                    final String pkg = (mCurrentPackage != null)
3356                            ? mCurrentPackage.packageName : "[none]";
3357                    if (MORE_DEBUG) {
3358                        Slog.i(TAG, "Callback after agent teardown: " + pkg);
3359                    }
3360                    addBackupTrace("late opComplete; curPkg = " + pkg);
3361                    return;
3362                }
3363
3364                final String pkgName = mCurrentPackage.packageName;
3365                final long filepos = mBackupDataName.length();
3366                FileDescriptor fd = mBackupData.getFileDescriptor();
3367                try {
3368                    // If it's a 3rd party app, see whether they wrote any protected keys
3369                    // and complain mightily if they are attempting shenanigans.
3370                    if (mCurrentPackage.applicationInfo != null &&
3371                            (mCurrentPackage.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM)
3372                                    == 0) {
3373                        ParcelFileDescriptor readFd = ParcelFileDescriptor.open(mBackupDataName,
3374                                ParcelFileDescriptor.MODE_READ_ONLY);
3375                        BackupDataInput in = new BackupDataInput(readFd.getFileDescriptor());
3376                        try {
3377                            while (in.readNextHeader()) {
3378                                final String key = in.getKey();
3379                                if (key != null && key.charAt(0) >= 0xff00) {
3380                                    // Not okay: crash them and bail.
3381                                    failAgent(mAgentBinder, "Illegal backup key: " + key);
3382                                    addBackupTrace("illegal key " + key + " from " + pkgName);
3383                                    EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, pkgName,
3384                                            "bad key");
3385                                    mMonitor = monitorEvent(mMonitor,
3386                                            BackupManagerMonitor.LOG_EVENT_ID_ILLEGAL_KEY,
3387                                            mCurrentPackage,
3388                                            BackupManagerMonitor
3389                                                    .LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
3390                                            putMonitoringExtra(null,
3391                                                    BackupManagerMonitor.EXTRA_LOG_ILLEGAL_KEY,
3392                                                    key));
3393                                    mBackupHandler.removeMessages(MSG_BACKUP_OPERATION_TIMEOUT);
3394                                    sendBackupOnPackageResult(mObserver, pkgName,
3395                                            BackupManager.ERROR_AGENT_FAILURE);
3396                                    errorCleanup();
3397                                    // agentErrorCleanup() implicitly executes next state properly
3398                                    return;
3399                                }
3400                                in.skipEntityData();
3401                            }
3402                        } finally {
3403                            if (readFd != null) {
3404                                readFd.close();
3405                            }
3406                        }
3407                    }
3408
3409                    // Piggyback the widget state payload, if any
3410                    writeWidgetPayloadIfAppropriate(fd, pkgName);
3411                } catch (IOException e) {
3412                    // Hard disk error; recovery/failure policy TBD.  For now roll back,
3413                    // but we may want to consider this a transport-level failure (i.e.
3414                    // we're in such a bad state that we can't contemplate doing backup
3415                    // operations any more during this pass).
3416                    Slog.w(TAG, "Unable to save widget state for " + pkgName);
3417                    try {
3418                        Os.ftruncate(fd, filepos);
3419                    } catch (ErrnoException ee) {
3420                        Slog.w(TAG, "Unable to roll back!");
3421                    }
3422                }
3423
3424                // Spin the data off to the transport and proceed with the next stage.
3425                if (MORE_DEBUG) Slog.v(TAG, "operationComplete(): sending data to transport for "
3426                        + pkgName);
3427                mBackupHandler.removeMessages(MSG_BACKUP_OPERATION_TIMEOUT);
3428                clearAgentState();
3429                addBackupTrace("operation complete");
3430
3431                ParcelFileDescriptor backupData = null;
3432                mStatus = BackupTransport.TRANSPORT_OK;
3433                long size = 0;
3434                try {
3435                    size = mBackupDataName.length();
3436                    if (size > 0) {
3437                        if (mStatus == BackupTransport.TRANSPORT_OK) {
3438                            backupData = ParcelFileDescriptor.open(mBackupDataName,
3439                                    ParcelFileDescriptor.MODE_READ_ONLY);
3440                            addBackupTrace("sending data to transport");
3441                            int flags = mUserInitiated ? BackupTransport.FLAG_USER_INITIATED : 0;
3442                            mStatus = mTransport.performBackup(mCurrentPackage, backupData, flags);
3443                        }
3444
3445                        // TODO - We call finishBackup() for each application backed up, because
3446                        // we need to know now whether it succeeded or failed.  Instead, we should
3447                        // hold off on finishBackup() until the end, which implies holding off on
3448                        // renaming *all* the output state files (see below) until that happens.
3449
3450                        addBackupTrace("data delivered: " + mStatus);
3451                        if (mStatus == BackupTransport.TRANSPORT_OK) {
3452                            addBackupTrace("finishing op on transport");
3453                            mStatus = mTransport.finishBackup();
3454                            addBackupTrace("finished: " + mStatus);
3455                        } else if (mStatus == BackupTransport.TRANSPORT_PACKAGE_REJECTED) {
3456                            addBackupTrace("transport rejected package");
3457                        }
3458                    } else {
3459                        if (MORE_DEBUG) Slog.i(TAG,
3460                                "no backup data written; not calling transport");
3461                        addBackupTrace("no data to send");
3462                        mMonitor = monitorEvent(mMonitor,
3463                                BackupManagerMonitor.LOG_EVENT_ID_NO_DATA_TO_SEND,
3464                                mCurrentPackage,
3465                                BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
3466                                null);
3467                    }
3468
3469                    if (mStatus == BackupTransport.TRANSPORT_OK) {
3470                        // After successful transport, delete the now-stale data
3471                        // and juggle the files so that next time we supply the agent
3472                        // with the new state file it just created.
3473                        mBackupDataName.delete();
3474                        mNewStateName.renameTo(mSavedStateName);
3475                        sendBackupOnPackageResult(mObserver, pkgName, BackupManager.SUCCESS);
3476                        EventLog.writeEvent(EventLogTags.BACKUP_PACKAGE, pkgName, size);
3477                        logBackupComplete(pkgName);
3478                    } else if (mStatus == BackupTransport.TRANSPORT_PACKAGE_REJECTED) {
3479                        // The transport has rejected backup of this specific package.  Roll it
3480                        // back but proceed with running the rest of the queue.
3481                        mBackupDataName.delete();
3482                        mNewStateName.delete();
3483                        sendBackupOnPackageResult(mObserver, pkgName,
3484                                BackupManager.ERROR_TRANSPORT_PACKAGE_REJECTED);
3485                        EventLogTags.writeBackupAgentFailure(pkgName, "Transport rejected");
3486                    } else if (mStatus == BackupTransport.TRANSPORT_QUOTA_EXCEEDED) {
3487                        sendBackupOnPackageResult(mObserver, pkgName,
3488                                BackupManager.ERROR_TRANSPORT_QUOTA_EXCEEDED);
3489                        EventLog.writeEvent(EventLogTags.BACKUP_QUOTA_EXCEEDED, pkgName);
3490                    } else {
3491                        // Actual transport-level failure to communicate the data to the backend
3492                        sendBackupOnPackageResult(mObserver, pkgName,
3493                                BackupManager.ERROR_TRANSPORT_ABORTED);
3494                        EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, pkgName);
3495                    }
3496                } catch (Exception e) {
3497                    sendBackupOnPackageResult(mObserver, pkgName,
3498                            BackupManager.ERROR_TRANSPORT_ABORTED);
3499                    Slog.e(TAG, "Transport error backing up " + pkgName, e);
3500                    EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, pkgName);
3501                    mStatus = BackupTransport.TRANSPORT_ERROR;
3502                } finally {
3503                    try {
3504                        if (backupData != null) backupData.close();
3505                    } catch (IOException e) {
3506                    }
3507                }
3508
3509                final BackupState nextState;
3510                if (mStatus == BackupTransport.TRANSPORT_OK
3511                        || mStatus == BackupTransport.TRANSPORT_PACKAGE_REJECTED) {
3512                    // Success or single-package rejection.  Proceed with the next app if any,
3513                    // otherwise we're done.
3514                    nextState = (mQueue.isEmpty()) ? BackupState.FINAL : BackupState.RUNNING_QUEUE;
3515                } else if (mStatus == BackupTransport.TRANSPORT_QUOTA_EXCEEDED) {
3516                    if (MORE_DEBUG) {
3517                        Slog.d(TAG, "Package " + mCurrentPackage.packageName +
3518                                " hit quota limit on k/v backup");
3519                    }
3520                    if (mAgentBinder != null) {
3521                        try {
3522                            long quota = mTransport.getBackupQuota(mCurrentPackage.packageName,
3523                                    false);
3524                            mAgentBinder.doQuotaExceeded(size, quota);
3525                        } catch (Exception e) {
3526                            Slog.e(TAG, "Unable to notify about quota exceeded: " + e.getMessage());
3527                        }
3528                    }
3529                    nextState = (mQueue.isEmpty()) ? BackupState.FINAL : BackupState.RUNNING_QUEUE;
3530                } else {
3531                    // Any other error here indicates a transport-level failure.  That means
3532                    // we need to halt everything and reschedule everything for next time.
3533                    revertAndEndBackup();
3534                    nextState = BackupState.FINAL;
3535                }
3536
3537                executeNextState(nextState);
3538            }
3539        }
3540
3541
3542        @Override
3543        @GuardedBy("mCancelLock")
3544        public void handleCancel(boolean cancelAll) {
3545            removeOperation(mEphemeralOpToken);
3546            synchronized (mCancelLock) {
3547                if (mFinished) {
3548                    // We have already cancelled this operation.
3549                    if (MORE_DEBUG) {
3550                        Slog.d(TAG, "Ignoring stale cancel. cancelAll=" + cancelAll);
3551                    }
3552                    return;
3553                }
3554                mCancelAll = cancelAll;
3555                final String logPackageName = (mCurrentPackage != null)
3556                        ? mCurrentPackage.packageName
3557                        : "no_package_yet";
3558                Slog.i(TAG, "Cancel backing up " + logPackageName);
3559                EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, logPackageName);
3560                addBackupTrace("cancel of " + logPackageName + ", cancelAll=" + cancelAll);
3561                mMonitor = monitorEvent(mMonitor,
3562                        BackupManagerMonitor.LOG_EVENT_ID_KEY_VALUE_BACKUP_CANCEL,
3563                        mCurrentPackage, BackupManagerMonitor.LOG_EVENT_CATEGORY_AGENT,
3564                        putMonitoringExtra(null, BackupManagerMonitor.EXTRA_LOG_CANCEL_ALL,
3565                                mCancelAll));
3566                errorCleanup();
3567                if (!cancelAll) {
3568                    // The current agent either timed out or was cancelled running doBackup().
3569                    // Restage it for the next time we run a backup pass.
3570                    // !!! TODO: keep track of failure counts per agent, and blacklist those which
3571                    // fail repeatedly (i.e. have proved themselves to be buggy).
3572                    executeNextState(
3573                            mQueue.isEmpty() ? BackupState.FINAL : BackupState.RUNNING_QUEUE);
3574                    dataChangedImpl(mCurrentPackage.packageName);
3575                } else {
3576                    finalizeBackup();
3577                }
3578            }
3579        }
3580
3581        void revertAndEndBackup() {
3582            if (MORE_DEBUG) Slog.i(TAG, "Reverting backup queue - restaging everything");
3583            addBackupTrace("transport error; reverting");
3584
3585            // We want to reset the backup schedule based on whatever the transport suggests
3586            // by way of retry/backoff time.
3587            long delay;
3588            try {
3589                delay = mTransport.requestBackupTime();
3590            } catch (Exception e) {
3591                Slog.w(TAG, "Unable to contact transport for recommended backoff: " + e.getMessage());
3592                delay = 0;  // use the scheduler's default
3593            }
3594            KeyValueBackupJob.schedule(mContext, delay);
3595
3596            for (BackupRequest request : mOriginalQueue) {
3597                dataChangedImpl(request.packageName);
3598            }
3599
3600        }
3601
3602        void errorCleanup() {
3603            mBackupDataName.delete();
3604            mNewStateName.delete();
3605            clearAgentState();
3606        }
3607
3608        // Cleanup common to both success and failure cases
3609        void clearAgentState() {
3610            try { if (mSavedState != null) mSavedState.close(); } catch (IOException e) {}
3611            try { if (mBackupData != null) mBackupData.close(); } catch (IOException e) {}
3612            try { if (mNewState != null) mNewState.close(); } catch (IOException e) {}
3613            synchronized (mCurrentOpLock) {
3614                // Current-operation callback handling requires the validity of these various
3615                // bits of internal state as an invariant of the operation still being live.
3616                // This means we make sure to clear all of the state in unison inside the lock.
3617                mCurrentOperations.remove(mEphemeralOpToken);
3618                mSavedState = mBackupData = mNewState = null;
3619            }
3620
3621            // If this was a pseudopackage there's no associated Activity Manager state
3622            if (mCurrentPackage.applicationInfo != null) {
3623                addBackupTrace("unbinding " + mCurrentPackage.packageName);
3624                try {  // unbind even on timeout, just in case
3625                    mActivityManager.unbindBackupAgent(mCurrentPackage.applicationInfo);
3626                } catch (RemoteException e) { /* can't happen; activity manager is local */ }
3627            }
3628        }
3629
3630        void executeNextState(BackupState nextState) {
3631            if (MORE_DEBUG) Slog.i(TAG, " => executing next step on "
3632                    + this + " nextState=" + nextState);
3633            addBackupTrace("executeNextState => " + nextState);
3634            mCurrentState = nextState;
3635            Message msg = mBackupHandler.obtainMessage(MSG_BACKUP_RESTORE_STEP, this);
3636            mBackupHandler.sendMessage(msg);
3637        }
3638    }
3639
3640    private boolean isBackupOperationInProgress() {
3641        synchronized (mCurrentOpLock) {
3642            for (int i = 0; i < mCurrentOperations.size(); i++) {
3643                Operation op = mCurrentOperations.valueAt(i);
3644                if (op.type == OP_TYPE_BACKUP && op.state == OP_PENDING) {
3645                    return true;
3646                }
3647            }
3648        }
3649        return false;
3650    }
3651
3652
3653    // ----- Full backup/restore to a file/socket -----
3654
3655    class FullBackupObbConnection implements ServiceConnection {
3656        volatile IObbBackupService mService;
3657
3658        FullBackupObbConnection() {
3659            mService = null;
3660        }
3661
3662        public void establish() {
3663            if (MORE_DEBUG) Slog.i(TAG, "Initiating bind of OBB service on " + this);
3664            Intent obbIntent = new Intent().setComponent(new ComponentName(
3665                    "com.android.sharedstoragebackup",
3666                    "com.android.sharedstoragebackup.ObbBackupService"));
3667            BackupManagerService.this.mContext.bindServiceAsUser(
3668                    obbIntent, this, Context.BIND_AUTO_CREATE, UserHandle.SYSTEM);
3669        }
3670
3671        public void tearDown() {
3672            BackupManagerService.this.mContext.unbindService(this);
3673        }
3674
3675        public boolean backupObbs(PackageInfo pkg, OutputStream out) {
3676            boolean success = false;
3677            waitForConnection();
3678
3679            ParcelFileDescriptor[] pipes = null;
3680            try {
3681                pipes = ParcelFileDescriptor.createPipe();
3682                int token = generateRandomIntegerToken();
3683                prepareOperationTimeout(token, TIMEOUT_FULL_BACKUP_INTERVAL,
3684                        null, OP_TYPE_BACKUP_WAIT);
3685                mService.backupObbs(pkg.packageName, pipes[1], token, mBackupManagerBinder);
3686                routeSocketDataToOutput(pipes[0], out);
3687                success = waitUntilOperationComplete(token);
3688            } catch (Exception e) {
3689                Slog.w(TAG, "Unable to back up OBBs for " + pkg, e);
3690            } finally {
3691                try {
3692                    out.flush();
3693                    if (pipes != null) {
3694                        if (pipes[0] != null) pipes[0].close();
3695                        if (pipes[1] != null) pipes[1].close();
3696                    }
3697                } catch (IOException e) {
3698                    Slog.w(TAG, "I/O error closing down OBB backup", e);
3699                }
3700            }
3701            return success;
3702        }
3703
3704        public void restoreObbFile(String pkgName, ParcelFileDescriptor data,
3705                long fileSize, int type, String path, long mode, long mtime,
3706                int token, IBackupManager callbackBinder) {
3707            waitForConnection();
3708
3709            try {
3710                mService.restoreObbFile(pkgName, data, fileSize, type, path, mode, mtime,
3711                        token, callbackBinder);
3712            } catch (Exception e) {
3713                Slog.w(TAG, "Unable to restore OBBs for " + pkgName, e);
3714            }
3715        }
3716
3717        private void waitForConnection() {
3718            synchronized (this) {
3719                while (mService == null) {
3720                    if (MORE_DEBUG) Slog.i(TAG, "...waiting for OBB service binding...");
3721                    try {
3722                        this.wait();
3723                    } catch (InterruptedException e) { /* never interrupted */ }
3724                }
3725                if (MORE_DEBUG) Slog.i(TAG, "Connected to OBB service; continuing");
3726            }
3727        }
3728
3729        @Override
3730        public void onServiceConnected(ComponentName name, IBinder service) {
3731            synchronized (this) {
3732                mService = IObbBackupService.Stub.asInterface(service);
3733                if (MORE_DEBUG) Slog.i(TAG, "OBB service connection " + mService
3734                        + " connected on " + this);
3735                this.notifyAll();
3736            }
3737        }
3738
3739        @Override
3740        public void onServiceDisconnected(ComponentName name) {
3741            synchronized (this) {
3742                mService = null;
3743                if (MORE_DEBUG) Slog.i(TAG, "OBB service connection disconnected on " + this);
3744                this.notifyAll();
3745            }
3746        }
3747
3748    }
3749
3750    static void routeSocketDataToOutput(ParcelFileDescriptor inPipe, OutputStream out)
3751            throws IOException {
3752        // We do not take close() responsibility for the pipe FD
3753        FileInputStream raw = new FileInputStream(inPipe.getFileDescriptor());
3754        DataInputStream in = new DataInputStream(raw);
3755
3756        byte[] buffer = new byte[32 * 1024];
3757        int chunkTotal;
3758        while ((chunkTotal = in.readInt()) > 0) {
3759            while (chunkTotal > 0) {
3760                int toRead = (chunkTotal > buffer.length) ? buffer.length : chunkTotal;
3761                int nRead = in.read(buffer, 0, toRead);
3762                out.write(buffer, 0, nRead);
3763                chunkTotal -= nRead;
3764            }
3765        }
3766    }
3767
3768    @Override
3769    public void tearDownAgentAndKill(ApplicationInfo app) {
3770        if (app == null) {
3771            // Null means the system package, so just quietly move on.  :)
3772            return;
3773        }
3774
3775        try {
3776            // unbind and tidy up even on timeout or failure, just in case
3777            mActivityManager.unbindBackupAgent(app);
3778
3779            // The agent was running with a stub Application object, so shut it down.
3780            // !!! We hardcode the confirmation UI's package name here rather than use a
3781            //     manifest flag!  TODO something less direct.
3782            if (app.uid >= Process.FIRST_APPLICATION_UID
3783                    && !app.packageName.equals("com.android.backupconfirm")) {
3784                if (MORE_DEBUG) Slog.d(TAG, "Killing agent host process");
3785                mActivityManager.killApplicationProcess(app.processName, app.uid);
3786            } else {
3787                if (MORE_DEBUG) Slog.d(TAG, "Not killing after operation: " + app.processName);
3788            }
3789        } catch (RemoteException e) {
3790            Slog.d(TAG, "Lost app trying to shut down");
3791        }
3792    }
3793
3794    // Core logic for performing one package's full backup, gathering the tarball from the
3795    // application and emitting it to the designated OutputStream.
3796
3797    // Callout from the engine to an interested participant that might need to communicate
3798    // with the agent prior to asking it to move data
3799    interface FullBackupPreflight {
3800        /**
3801         * Perform the preflight operation necessary for the given package.
3802         * @param pkg The name of the package being proposed for full-data backup
3803         * @param agent Live BackupAgent binding to the target app's agent
3804         * @return BackupTransport.TRANSPORT_OK to proceed with the backup operation,
3805         *         or one of the other BackupTransport.* error codes as appropriate
3806         */
3807        int preflightFullBackup(PackageInfo pkg, IBackupAgent agent);
3808
3809        long getExpectedSizeOrErrorCode();
3810    };
3811
3812    class FullBackupEngine {
3813        OutputStream mOutput;
3814        FullBackupPreflight mPreflightHook;
3815        BackupRestoreTask mTimeoutMonitor;
3816        IBackupAgent mAgent;
3817        File mFilesDir;
3818        File mManifestFile;
3819        File mMetadataFile;
3820        boolean mIncludeApks;
3821        PackageInfo mPkg;
3822        private final long mQuota;
3823        private final int mOpToken;
3824
3825        class FullBackupRunner implements Runnable {
3826            PackageInfo mPackage;
3827            byte[] mWidgetData;
3828            IBackupAgent mAgent;
3829            ParcelFileDescriptor mPipe;
3830            int mToken;
3831            boolean mSendApk;
3832            boolean mWriteManifest;
3833
3834            FullBackupRunner(PackageInfo pack, IBackupAgent agent, ParcelFileDescriptor pipe,
3835                             int token, boolean sendApk, boolean writeManifest, byte[] widgetData)
3836                    throws IOException {
3837                mPackage = pack;
3838                mWidgetData = widgetData;
3839                mAgent = agent;
3840                mPipe = ParcelFileDescriptor.dup(pipe.getFileDescriptor());
3841                mToken = token;
3842                mSendApk = sendApk;
3843                mWriteManifest = writeManifest;
3844            }
3845
3846            @Override
3847            public void run() {
3848                try {
3849                    FullBackupDataOutput output = new FullBackupDataOutput(mPipe);
3850
3851                    if (mWriteManifest) {
3852                        final boolean writeWidgetData = mWidgetData != null;
3853                        if (MORE_DEBUG) Slog.d(TAG, "Writing manifest for " + mPackage.packageName);
3854                        writeAppManifest(mPackage, mPackageManager, mManifestFile, mSendApk, writeWidgetData);
3855                        FullBackup.backupToTar(mPackage.packageName, null, null,
3856                                mFilesDir.getAbsolutePath(),
3857                                mManifestFile.getAbsolutePath(),
3858                                output);
3859                        mManifestFile.delete();
3860
3861                        // We only need to write a metadata file if we have widget data to stash
3862                        if (writeWidgetData) {
3863                            writeMetadata(mPackage, mMetadataFile, mWidgetData);
3864                            FullBackup.backupToTar(mPackage.packageName, null, null,
3865                                    mFilesDir.getAbsolutePath(),
3866                                    mMetadataFile.getAbsolutePath(),
3867                                    output);
3868                            mMetadataFile.delete();
3869                        }
3870                    }
3871
3872                    if (mSendApk) {
3873                        writeApkToBackup(mPackage, output);
3874                    }
3875
3876                    final boolean isSharedStorage =
3877                            mPackage.packageName.equals(SHARED_BACKUP_AGENT_PACKAGE);
3878                    final long timeout = isSharedStorage ?
3879                            TIMEOUT_SHARED_BACKUP_INTERVAL : TIMEOUT_FULL_BACKUP_INTERVAL;
3880
3881                    if (DEBUG) Slog.d(TAG, "Calling doFullBackup() on " + mPackage.packageName);
3882                    prepareOperationTimeout(mToken, timeout, mTimeoutMonitor /* in parent class */,
3883                            OP_TYPE_BACKUP_WAIT);
3884                    mAgent.doFullBackup(mPipe, mQuota, mToken, mBackupManagerBinder);
3885                } catch (IOException e) {
3886                    Slog.e(TAG, "Error running full backup for " + mPackage.packageName);
3887                } catch (RemoteException e) {
3888                    Slog.e(TAG, "Remote agent vanished during full backup of "
3889                            + mPackage.packageName);
3890                } finally {
3891                    try {
3892                        mPipe.close();
3893                    } catch (IOException e) {}
3894                }
3895            }
3896        }
3897
3898        FullBackupEngine(OutputStream output, FullBackupPreflight preflightHook, PackageInfo pkg,
3899                         boolean alsoApks, BackupRestoreTask timeoutMonitor, long quota, int opToken) {
3900            mOutput = output;
3901            mPreflightHook = preflightHook;
3902            mPkg = pkg;
3903            mIncludeApks = alsoApks;
3904            mTimeoutMonitor = timeoutMonitor;
3905            mFilesDir = new File("/data/system");
3906            mManifestFile = new File(mFilesDir, BACKUP_MANIFEST_FILENAME);
3907            mMetadataFile = new File(mFilesDir, BACKUP_METADATA_FILENAME);
3908            mQuota = quota;
3909            mOpToken = opToken;
3910        }
3911
3912        public int preflightCheck() throws RemoteException {
3913            if (mPreflightHook == null) {
3914                if (MORE_DEBUG) {
3915                    Slog.v(TAG, "No preflight check");
3916                }
3917                return BackupTransport.TRANSPORT_OK;
3918            }
3919            if (initializeAgent()) {
3920                int result = mPreflightHook.preflightFullBackup(mPkg, mAgent);
3921                if (MORE_DEBUG) {
3922                    Slog.v(TAG, "preflight returned " + result);
3923                }
3924                return result;
3925            } else {
3926                Slog.w(TAG, "Unable to bind to full agent for " + mPkg.packageName);
3927                return BackupTransport.AGENT_ERROR;
3928            }
3929        }
3930
3931        public int backupOnePackage() throws RemoteException {
3932            int result = BackupTransport.AGENT_ERROR;
3933
3934            if (initializeAgent()) {
3935                ParcelFileDescriptor[] pipes = null;
3936                try {
3937                    pipes = ParcelFileDescriptor.createPipe();
3938
3939                    ApplicationInfo app = mPkg.applicationInfo;
3940                    final boolean isSharedStorage =
3941                            mPkg.packageName.equals(SHARED_BACKUP_AGENT_PACKAGE);
3942                    final boolean sendApk = mIncludeApks
3943                            && !isSharedStorage
3944                            && ((app.privateFlags & ApplicationInfo.PRIVATE_FLAG_FORWARD_LOCK) == 0)
3945                            && ((app.flags & ApplicationInfo.FLAG_SYSTEM) == 0 ||
3946                            (app.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0);
3947
3948                    // TODO: http://b/22388012
3949                    byte[] widgetBlob = AppWidgetBackupBridge.getWidgetState(mPkg.packageName,
3950                            UserHandle.USER_SYSTEM);
3951
3952                    FullBackupRunner runner = new FullBackupRunner(mPkg, mAgent, pipes[1],
3953                            mOpToken, sendApk, !isSharedStorage, widgetBlob);
3954                    pipes[1].close();   // the runner has dup'd it
3955                    pipes[1] = null;
3956                    Thread t = new Thread(runner, "app-data-runner");
3957                    t.start();
3958
3959                    // Now pull data from the app and stuff it into the output
3960                    routeSocketDataToOutput(pipes[0], mOutput);
3961
3962                    if (!waitUntilOperationComplete(mOpToken)) {
3963                        Slog.e(TAG, "Full backup failed on package " + mPkg.packageName);
3964                    } else {
3965                        if (MORE_DEBUG) {
3966                            Slog.d(TAG, "Full package backup success: " + mPkg.packageName);
3967                        }
3968                        result = BackupTransport.TRANSPORT_OK;
3969                    }
3970                } catch (IOException e) {
3971                    Slog.e(TAG, "Error backing up " + mPkg.packageName + ": " + e.getMessage());
3972                    result = BackupTransport.AGENT_ERROR;
3973                } finally {
3974                    try {
3975                        // flush after every package
3976                        mOutput.flush();
3977                        if (pipes != null) {
3978                            if (pipes[0] != null) pipes[0].close();
3979                            if (pipes[1] != null) pipes[1].close();
3980                        }
3981                    } catch (IOException e) {
3982                        Slog.w(TAG, "Error bringing down backup stack");
3983                        result = BackupTransport.TRANSPORT_ERROR;
3984                    }
3985                }
3986            } else {
3987                Slog.w(TAG, "Unable to bind to full agent for " + mPkg.packageName);
3988            }
3989            tearDown();
3990            return result;
3991        }
3992
3993        public void sendQuotaExceeded(final long backupDataBytes, final long quotaBytes) {
3994            if (initializeAgent()) {
3995                try {
3996                    mAgent.doQuotaExceeded(backupDataBytes, quotaBytes);
3997                } catch (RemoteException e) {
3998                    Slog.e(TAG, "Remote exception while telling agent about quota exceeded");
3999                }
4000            }
4001        }
4002
4003        private boolean initializeAgent() {
4004            if (mAgent == null) {
4005                if (MORE_DEBUG) {
4006                    Slog.d(TAG, "Binding to full backup agent : " + mPkg.packageName);
4007                }
4008                mAgent = bindToAgentSynchronous(mPkg.applicationInfo,
4009                        ApplicationThreadConstants.BACKUP_MODE_FULL);
4010            }
4011            return mAgent != null;
4012        }
4013
4014        private void writeApkToBackup(PackageInfo pkg, FullBackupDataOutput output) {
4015            // Forward-locked apps, system-bundled .apks, etc are filtered out before we get here
4016            // TODO: handle backing up split APKs
4017            final String appSourceDir = pkg.applicationInfo.getBaseCodePath();
4018            final String apkDir = new File(appSourceDir).getParent();
4019            FullBackup.backupToTar(pkg.packageName, FullBackup.APK_TREE_TOKEN, null,
4020                    apkDir, appSourceDir, output);
4021
4022            // TODO: migrate this to SharedStorageBackup, since AID_SYSTEM
4023            // doesn't have access to external storage.
4024
4025            // Save associated .obb content if it exists and we did save the apk
4026            // check for .obb and save those too
4027            // TODO: http://b/22388012
4028            final UserEnvironment userEnv = new UserEnvironment(UserHandle.USER_SYSTEM);
4029            final File obbDir = userEnv.buildExternalStorageAppObbDirs(pkg.packageName)[0];
4030            if (obbDir != null) {
4031                if (MORE_DEBUG) Log.i(TAG, "obb dir: " + obbDir.getAbsolutePath());
4032                File[] obbFiles = obbDir.listFiles();
4033                if (obbFiles != null) {
4034                    final String obbDirName = obbDir.getAbsolutePath();
4035                    for (File obb : obbFiles) {
4036                        FullBackup.backupToTar(pkg.packageName, FullBackup.OBB_TREE_TOKEN, null,
4037                                obbDirName, obb.getAbsolutePath(), output);
4038                    }
4039                }
4040            }
4041        }
4042
4043        // Widget metadata format. All header entries are strings ending in LF:
4044        //
4045        // Version 1 header:
4046        //     BACKUP_METADATA_VERSION, currently "1"
4047        //     package name
4048        //
4049        // File data (all integers are binary in network byte order)
4050        // *N: 4 : integer token identifying which metadata blob
4051        //     4 : integer size of this blob = N
4052        //     N : raw bytes of this metadata blob
4053        //
4054        // Currently understood blobs (always in network byte order):
4055        //
4056        //     widgets : metadata token = 0x01FFED01 (BACKUP_WIDGET_METADATA_TOKEN)
4057        //
4058        // Unrecognized blobs are *ignored*, not errors.
4059        private void writeMetadata(PackageInfo pkg, File destination, byte[] widgetData)
4060                throws IOException {
4061            StringBuilder b = new StringBuilder(512);
4062            StringBuilderPrinter printer = new StringBuilderPrinter(b);
4063            printer.println(Integer.toString(BACKUP_METADATA_VERSION));
4064            printer.println(pkg.packageName);
4065
4066            FileOutputStream fout = new FileOutputStream(destination);
4067            BufferedOutputStream bout = new BufferedOutputStream(fout);
4068            DataOutputStream out = new DataOutputStream(bout);
4069            bout.write(b.toString().getBytes());    // bypassing DataOutputStream
4070
4071            if (widgetData != null && widgetData.length > 0) {
4072                out.writeInt(BACKUP_WIDGET_METADATA_TOKEN);
4073                out.writeInt(widgetData.length);
4074                out.write(widgetData);
4075            }
4076            bout.flush();
4077            out.close();
4078
4079            // As with the manifest file, guarantee idempotence of the archive metadata
4080            // for the widget block by using a fixed mtime on the transient file.
4081            destination.setLastModified(0);
4082        }
4083
4084        private void tearDown() {
4085            if (mPkg != null) {
4086                tearDownAgentAndKill(mPkg.applicationInfo);
4087            }
4088        }
4089    }
4090
4091    static void writeAppManifest(PackageInfo pkg, PackageManager packageManager, File manifestFile,
4092            boolean withApk, boolean withWidgets) throws IOException {
4093        // Manifest format. All data are strings ending in LF:
4094        //     BACKUP_MANIFEST_VERSION, currently 1
4095        //
4096        // Version 1:
4097        //     package name
4098        //     package's versionCode
4099        //     platform versionCode
4100        //     getInstallerPackageName() for this package (maybe empty)
4101        //     boolean: "1" if archive includes .apk; any other string means not
4102        //     number of signatures == N
4103        // N*:    signature byte array in ascii format per Signature.toCharsString()
4104        StringBuilder builder = new StringBuilder(4096);
4105        StringBuilderPrinter printer = new StringBuilderPrinter(builder);
4106
4107        printer.println(Integer.toString(BACKUP_MANIFEST_VERSION));
4108        printer.println(pkg.packageName);
4109        printer.println(Integer.toString(pkg.versionCode));
4110        printer.println(Integer.toString(Build.VERSION.SDK_INT));
4111
4112        String installerName = packageManager.getInstallerPackageName(pkg.packageName);
4113        printer.println((installerName != null) ? installerName : "");
4114
4115        printer.println(withApk ? "1" : "0");
4116        if (pkg.signatures == null) {
4117            printer.println("0");
4118        } else {
4119            printer.println(Integer.toString(pkg.signatures.length));
4120            for (Signature sig : pkg.signatures) {
4121                printer.println(sig.toCharsString());
4122            }
4123        }
4124
4125        FileOutputStream outstream = new FileOutputStream(manifestFile);
4126        outstream.write(builder.toString().getBytes());
4127        outstream.close();
4128
4129        // We want the manifest block in the archive stream to be idempotent:
4130        // each time we generate a backup stream for the app, we want the manifest
4131        // block to be identical.  The underlying tar mechanism sees it as a file,
4132        // though, and will propagate its mtime, causing the tar header to vary.
4133        // Avoid this problem by pinning the mtime to zero.
4134        manifestFile.setLastModified(0);
4135    }
4136
4137    // Generic driver skeleton for full backup operations
4138    abstract class FullBackupTask implements Runnable {
4139        IFullBackupRestoreObserver mObserver;
4140
4141        FullBackupTask(IFullBackupRestoreObserver observer) {
4142            mObserver = observer;
4143        }
4144
4145        // wrappers for observer use
4146        final void sendStartBackup() {
4147            if (mObserver != null) {
4148                try {
4149                    mObserver.onStartBackup();
4150                } catch (RemoteException e) {
4151                    Slog.w(TAG, "full backup observer went away: startBackup");
4152                    mObserver = null;
4153                }
4154            }
4155        }
4156
4157        final void sendOnBackupPackage(String name) {
4158            if (mObserver != null) {
4159                try {
4160                    // TODO: use a more user-friendly name string
4161                    mObserver.onBackupPackage(name);
4162                } catch (RemoteException e) {
4163                    Slog.w(TAG, "full backup observer went away: backupPackage");
4164                    mObserver = null;
4165                }
4166            }
4167        }
4168
4169        final void sendEndBackup() {
4170            if (mObserver != null) {
4171                try {
4172                    mObserver.onEndBackup();
4173                } catch (RemoteException e) {
4174                    Slog.w(TAG, "full backup observer went away: endBackup");
4175                    mObserver = null;
4176                }
4177            }
4178        }
4179    }
4180
4181    boolean deviceIsEncrypted() {
4182        try {
4183            return mStorageManager.getEncryptionState()
4184                     != StorageManager.ENCRYPTION_STATE_NONE
4185                && mStorageManager.getPasswordType()
4186                     != StorageManager.CRYPT_TYPE_DEFAULT;
4187        } catch (Exception e) {
4188            // If we can't talk to the storagemanager service we have a serious problem; fail
4189            // "secure" i.e. assuming that the device is encrypted.
4190            Slog.e(TAG, "Unable to communicate with storagemanager service: " + e.getMessage());
4191            return true;
4192        }
4193    }
4194
4195    // Full backup task variant used for adb backup
4196    class PerformAdbBackupTask extends FullBackupTask implements BackupRestoreTask {
4197        FullBackupEngine mBackupEngine;
4198        final AtomicBoolean mLatch;
4199
4200        ParcelFileDescriptor mOutputFile;
4201        DeflaterOutputStream mDeflater;
4202        boolean mIncludeApks;
4203        boolean mIncludeObbs;
4204        boolean mIncludeShared;
4205        boolean mDoWidgets;
4206        boolean mAllApps;
4207        boolean mIncludeSystem;
4208        boolean mCompress;
4209        boolean mKeyValue;
4210        ArrayList<String> mPackages;
4211        PackageInfo mCurrentTarget;
4212        String mCurrentPassword;
4213        String mEncryptPassword;
4214        private final int mCurrentOpToken;
4215
4216        PerformAdbBackupTask(ParcelFileDescriptor fd, IFullBackupRestoreObserver observer,
4217                boolean includeApks, boolean includeObbs, boolean includeShared, boolean doWidgets,
4218                String curPassword, String encryptPassword, boolean doAllApps, boolean doSystem,
4219                boolean doCompress, boolean doKeyValue, String[] packages, AtomicBoolean latch) {
4220            super(observer);
4221            mCurrentOpToken = generateRandomIntegerToken();
4222            mLatch = latch;
4223
4224            mOutputFile = fd;
4225            mIncludeApks = includeApks;
4226            mIncludeObbs = includeObbs;
4227            mIncludeShared = includeShared;
4228            mDoWidgets = doWidgets;
4229            mAllApps = doAllApps;
4230            mIncludeSystem = doSystem;
4231            mPackages = (packages == null)
4232                    ? new ArrayList<String>()
4233                    : new ArrayList<String>(Arrays.asList(packages));
4234            mCurrentPassword = curPassword;
4235            // when backing up, if there is a current backup password, we require that
4236            // the user use a nonempty encryption password as well.  if one is supplied
4237            // in the UI we use that, but if the UI was left empty we fall back to the
4238            // current backup password (which was supplied by the user as well).
4239            if (encryptPassword == null || "".equals(encryptPassword)) {
4240                mEncryptPassword = curPassword;
4241            } else {
4242                mEncryptPassword = encryptPassword;
4243            }
4244            if (MORE_DEBUG) {
4245                Slog.w(TAG, "Encrypting backup with passphrase=" + mEncryptPassword);
4246            }
4247            mCompress = doCompress;
4248            mKeyValue = doKeyValue;
4249        }
4250
4251        void addPackagesToSet(TreeMap<String, PackageInfo> set, List<String> pkgNames) {
4252            for (String pkgName : pkgNames) {
4253                if (!set.containsKey(pkgName)) {
4254                    try {
4255                        PackageInfo info = mPackageManager.getPackageInfo(pkgName,
4256                                PackageManager.GET_SIGNATURES);
4257                        set.put(pkgName, info);
4258                    } catch (NameNotFoundException e) {
4259                        Slog.w(TAG, "Unknown package " + pkgName + ", skipping");
4260                    }
4261                }
4262            }
4263        }
4264
4265        private OutputStream emitAesBackupHeader(StringBuilder headerbuf,
4266                OutputStream ofstream) throws Exception {
4267            // User key will be used to encrypt the master key.
4268            byte[] newUserSalt = randomBytes(PBKDF2_SALT_SIZE);
4269            SecretKey userKey = buildPasswordKey(PBKDF_CURRENT, mEncryptPassword, newUserSalt,
4270                    PBKDF2_HASH_ROUNDS);
4271
4272            // the master key is random for each backup
4273            byte[] masterPw = new byte[256 / 8];
4274            mRng.nextBytes(masterPw);
4275            byte[] checksumSalt = randomBytes(PBKDF2_SALT_SIZE);
4276
4277            // primary encryption of the datastream with the random key
4278            Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
4279            SecretKeySpec masterKeySpec = new SecretKeySpec(masterPw, "AES");
4280            c.init(Cipher.ENCRYPT_MODE, masterKeySpec);
4281            OutputStream finalOutput = new CipherOutputStream(ofstream, c);
4282
4283            // line 4: name of encryption algorithm
4284            headerbuf.append(ENCRYPTION_ALGORITHM_NAME);
4285            headerbuf.append('\n');
4286            // line 5: user password salt [hex]
4287            headerbuf.append(byteArrayToHex(newUserSalt));
4288            headerbuf.append('\n');
4289            // line 6: master key checksum salt [hex]
4290            headerbuf.append(byteArrayToHex(checksumSalt));
4291            headerbuf.append('\n');
4292            // line 7: number of PBKDF2 rounds used [decimal]
4293            headerbuf.append(PBKDF2_HASH_ROUNDS);
4294            headerbuf.append('\n');
4295
4296            // line 8: IV of the user key [hex]
4297            Cipher mkC = Cipher.getInstance("AES/CBC/PKCS5Padding");
4298            mkC.init(Cipher.ENCRYPT_MODE, userKey);
4299
4300            byte[] IV = mkC.getIV();
4301            headerbuf.append(byteArrayToHex(IV));
4302            headerbuf.append('\n');
4303
4304            // line 9: master IV + key blob, encrypted by the user key [hex].  Blob format:
4305            //    [byte] IV length = Niv
4306            //    [array of Niv bytes] IV itself
4307            //    [byte] master key length = Nmk
4308            //    [array of Nmk bytes] master key itself
4309            //    [byte] MK checksum hash length = Nck
4310            //    [array of Nck bytes] master key checksum hash
4311            //
4312            // The checksum is the (master key + checksum salt), run through the
4313            // stated number of PBKDF2 rounds
4314            IV = c.getIV();
4315            byte[] mk = masterKeySpec.getEncoded();
4316            byte[] checksum = makeKeyChecksum(PBKDF_CURRENT, masterKeySpec.getEncoded(),
4317                    checksumSalt, PBKDF2_HASH_ROUNDS);
4318
4319            ByteArrayOutputStream blob = new ByteArrayOutputStream(IV.length + mk.length
4320                    + checksum.length + 3);
4321            DataOutputStream mkOut = new DataOutputStream(blob);
4322            mkOut.writeByte(IV.length);
4323            mkOut.write(IV);
4324            mkOut.writeByte(mk.length);
4325            mkOut.write(mk);
4326            mkOut.writeByte(checksum.length);
4327            mkOut.write(checksum);
4328            mkOut.flush();
4329            byte[] encryptedMk = mkC.doFinal(blob.toByteArray());
4330            headerbuf.append(byteArrayToHex(encryptedMk));
4331            headerbuf.append('\n');
4332
4333            return finalOutput;
4334        }
4335
4336        private void finalizeBackup(OutputStream out) {
4337            try {
4338                // A standard 'tar' EOF sequence: two 512-byte blocks of all zeroes.
4339                byte[] eof = new byte[512 * 2]; // newly allocated == zero filled
4340                out.write(eof);
4341            } catch (IOException e) {
4342                Slog.w(TAG, "Error attempting to finalize backup stream");
4343            }
4344        }
4345
4346        @Override
4347        public void run() {
4348            String includeKeyValue = mKeyValue ? ", including key-value backups" : "";
4349            Slog.i(TAG, "--- Performing adb backup" + includeKeyValue + " ---");
4350
4351            TreeMap<String, PackageInfo> packagesToBackup = new TreeMap<String, PackageInfo>();
4352            FullBackupObbConnection obbConnection = new FullBackupObbConnection();
4353            obbConnection.establish();  // we'll want this later
4354
4355            sendStartBackup();
4356
4357            // doAllApps supersedes the package set if any
4358            if (mAllApps) {
4359                List<PackageInfo> allPackages = mPackageManager.getInstalledPackages(
4360                        PackageManager.GET_SIGNATURES);
4361                for (int i = 0; i < allPackages.size(); i++) {
4362                    PackageInfo pkg = allPackages.get(i);
4363                    // Exclude system apps if we've been asked to do so
4364                    if (mIncludeSystem == true
4365                            || ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) == 0)) {
4366                        packagesToBackup.put(pkg.packageName, pkg);
4367                    }
4368                }
4369            }
4370
4371            // If we're doing widget state as well, ensure that we have all the involved
4372            // host & provider packages in the set
4373            if (mDoWidgets) {
4374                // TODO: http://b/22388012
4375                List<String> pkgs =
4376                        AppWidgetBackupBridge.getWidgetParticipants(UserHandle.USER_SYSTEM);
4377                if (pkgs != null) {
4378                    if (MORE_DEBUG) {
4379                        Slog.i(TAG, "Adding widget participants to backup set:");
4380                        StringBuilder sb = new StringBuilder(128);
4381                        sb.append("   ");
4382                        for (String s : pkgs) {
4383                            sb.append(' ');
4384                            sb.append(s);
4385                        }
4386                        Slog.i(TAG, sb.toString());
4387                    }
4388                    addPackagesToSet(packagesToBackup, pkgs);
4389                }
4390            }
4391
4392            // Now process the command line argument packages, if any. Note that explicitly-
4393            // named system-partition packages will be included even if includeSystem was
4394            // set to false.
4395            if (mPackages != null) {
4396                addPackagesToSet(packagesToBackup, mPackages);
4397            }
4398
4399            // Now we cull any inapplicable / inappropriate packages from the set.  This
4400            // includes the special shared-storage agent package; we handle that one
4401            // explicitly at the end of the backup pass. Packages supporting key-value backup are
4402            // added to their own queue, and handled after packages supporting fullbackup.
4403            ArrayList<PackageInfo> keyValueBackupQueue = new ArrayList<>();
4404            Iterator<Entry<String, PackageInfo>> iter = packagesToBackup.entrySet().iterator();
4405            while (iter.hasNext()) {
4406                PackageInfo pkg = iter.next().getValue();
4407                if (!appIsEligibleForBackup(pkg.applicationInfo, mPackageManager)
4408                        || appIsStopped(pkg.applicationInfo)) {
4409                    iter.remove();
4410                    if (DEBUG) {
4411                        Slog.i(TAG, "Package " + pkg.packageName
4412                                + " is not eligible for backup, removing.");
4413                    }
4414                } else if (appIsKeyValueOnly(pkg)) {
4415                    iter.remove();
4416                    if (DEBUG) {
4417                        Slog.i(TAG, "Package " + pkg.packageName
4418                                + " is key-value.");
4419                    }
4420                    keyValueBackupQueue.add(pkg);
4421                }
4422            }
4423
4424            // flatten the set of packages now so we can explicitly control the ordering
4425            ArrayList<PackageInfo> backupQueue =
4426                    new ArrayList<PackageInfo>(packagesToBackup.values());
4427            FileOutputStream ofstream = new FileOutputStream(mOutputFile.getFileDescriptor());
4428            OutputStream out = null;
4429
4430            PackageInfo pkg = null;
4431            try {
4432                boolean encrypting = (mEncryptPassword != null && mEncryptPassword.length() > 0);
4433
4434                // Only allow encrypted backups of encrypted devices
4435                if (deviceIsEncrypted() && !encrypting) {
4436                    Slog.e(TAG, "Unencrypted backup of encrypted device; aborting");
4437                    return;
4438                }
4439
4440                OutputStream finalOutput = ofstream;
4441
4442                // Verify that the given password matches the currently-active
4443                // backup password, if any
4444                if (!backupPasswordMatches(mCurrentPassword)) {
4445                    if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
4446                    return;
4447                }
4448
4449                // Write the global file header.  All strings are UTF-8 encoded; lines end
4450                // with a '\n' byte.  Actual backup data begins immediately following the
4451                // final '\n'.
4452                //
4453                // line 1: "ANDROID BACKUP"
4454                // line 2: backup file format version, currently "5"
4455                // line 3: compressed?  "0" if not compressed, "1" if compressed.
4456                // line 4: name of encryption algorithm [currently only "none" or "AES-256"]
4457                //
4458                // When line 4 is not "none", then additional header data follows:
4459                //
4460                // line 5: user password salt [hex]
4461                // line 6: master key checksum salt [hex]
4462                // line 7: number of PBKDF2 rounds to use (same for user & master) [decimal]
4463                // line 8: IV of the user key [hex]
4464                // line 9: master key blob [hex]
4465                //     IV of the master key, master key itself, master key checksum hash
4466                //
4467                // The master key checksum is the master key plus its checksum salt, run through
4468                // 10k rounds of PBKDF2.  This is used to verify that the user has supplied the
4469                // correct password for decrypting the archive:  the master key decrypted from
4470                // the archive using the user-supplied password is also run through PBKDF2 in
4471                // this way, and if the result does not match the checksum as stored in the
4472                // archive, then we know that the user-supplied password does not match the
4473                // archive's.
4474                StringBuilder headerbuf = new StringBuilder(1024);
4475
4476                headerbuf.append(BACKUP_FILE_HEADER_MAGIC);
4477                headerbuf.append(BACKUP_FILE_VERSION); // integer, no trailing \n
4478                headerbuf.append(mCompress ? "\n1\n" : "\n0\n");
4479
4480                try {
4481                    // Set up the encryption stage if appropriate, and emit the correct header
4482                    if (encrypting) {
4483                        finalOutput = emitAesBackupHeader(headerbuf, finalOutput);
4484                    } else {
4485                        headerbuf.append("none\n");
4486                    }
4487
4488                    byte[] header = headerbuf.toString().getBytes("UTF-8");
4489                    ofstream.write(header);
4490
4491                    // Set up the compression stage feeding into the encryption stage (if any)
4492                    if (mCompress) {
4493                        Deflater deflater = new Deflater(Deflater.BEST_COMPRESSION);
4494                        finalOutput = new DeflaterOutputStream(finalOutput, deflater, true);
4495                    }
4496
4497                    out = finalOutput;
4498                } catch (Exception e) {
4499                    // Should never happen!
4500                    Slog.e(TAG, "Unable to emit archive header", e);
4501                    return;
4502                }
4503
4504                // Shared storage if requested
4505                if (mIncludeShared) {
4506                    try {
4507                        pkg = mPackageManager.getPackageInfo(SHARED_BACKUP_AGENT_PACKAGE, 0);
4508                        backupQueue.add(pkg);
4509                    } catch (NameNotFoundException e) {
4510                        Slog.e(TAG, "Unable to find shared-storage backup handler");
4511                    }
4512                }
4513
4514                // Now actually run the constructed backup sequence for full backup
4515                int N = backupQueue.size();
4516                for (int i = 0; i < N; i++) {
4517                    pkg = backupQueue.get(i);
4518                    if (DEBUG) {
4519                        Slog.i(TAG,"--- Performing full backup for package " + pkg.packageName
4520                                + " ---");
4521                    }
4522                    final boolean isSharedStorage =
4523                            pkg.packageName.equals(SHARED_BACKUP_AGENT_PACKAGE);
4524
4525                    mBackupEngine = new FullBackupEngine(out, null, pkg, mIncludeApks, this, Long.MAX_VALUE, mCurrentOpToken);
4526                    sendOnBackupPackage(isSharedStorage ? "Shared storage" : pkg.packageName);
4527
4528                    // Don't need to check preflight result as there is no preflight hook.
4529                    mCurrentTarget = pkg;
4530                    mBackupEngine.backupOnePackage();
4531
4532                    // after the app's agent runs to handle its private filesystem
4533                    // contents, back up any OBB content it has on its behalf.
4534                    if (mIncludeObbs) {
4535                        boolean obbOkay = obbConnection.backupObbs(pkg, out);
4536                        if (!obbOkay) {
4537                            throw new RuntimeException("Failure writing OBB stack for " + pkg);
4538                        }
4539                    }
4540                }
4541                // And for key-value backup if enabled
4542                if (mKeyValue) {
4543                    for (PackageInfo keyValuePackage : keyValueBackupQueue) {
4544                        if (DEBUG) {
4545                            Slog.i(TAG, "--- Performing key-value backup for package "
4546                                    + keyValuePackage.packageName + " ---");
4547                        }
4548                        KeyValueAdbBackupEngine kvBackupEngine =
4549                                new KeyValueAdbBackupEngine(out, keyValuePackage,
4550                                        BackupManagerService.this,
4551                                        mPackageManager, mBaseStateDir, mDataDir);
4552                        sendOnBackupPackage(keyValuePackage.packageName);
4553                        kvBackupEngine.backupOnePackage();
4554                    }
4555                }
4556
4557                // Done!
4558                finalizeBackup(out);
4559            } catch (RemoteException e) {
4560                Slog.e(TAG, "App died during full backup");
4561            } catch (Exception e) {
4562                Slog.e(TAG, "Internal exception during full backup", e);
4563            } finally {
4564                try {
4565                    if (out != null) {
4566                        out.flush();
4567                        out.close();
4568                    }
4569                    mOutputFile.close();
4570                } catch (IOException e) {
4571                    /* nothing we can do about this */
4572                }
4573                synchronized (mLatch) {
4574                    mLatch.set(true);
4575                    mLatch.notifyAll();
4576                }
4577                sendEndBackup();
4578                obbConnection.tearDown();
4579                if (DEBUG) Slog.d(TAG, "Full backup pass complete.");
4580                mWakelock.release();
4581            }
4582        }
4583
4584        // BackupRestoreTask methods, used for timeout handling
4585        @Override
4586        public void execute() {
4587            // Unused
4588        }
4589
4590        @Override
4591        public void operationComplete(long result) {
4592            // Unused
4593        }
4594
4595        @Override
4596        public void handleCancel(boolean cancelAll) {
4597            final PackageInfo target = mCurrentTarget;
4598            if (DEBUG) {
4599                Slog.w(TAG, "adb backup cancel of " + target);
4600            }
4601            if (target != null) {
4602                tearDownAgentAndKill(mCurrentTarget.applicationInfo);
4603            }
4604            removeOperation(mCurrentOpToken);
4605        }
4606    }
4607
4608    /**
4609     * Full backup task extension used for transport-oriented operation.
4610     *
4611     * Flow:
4612     * For each requested package:
4613     *     - Spin off a new SinglePackageBackupRunner (mBackupRunner) for the current package.
4614     *     - Wait until preflight is complete. (mBackupRunner.getPreflightResultBlocking())
4615     *     - If preflight data size is within limit, start reading data from agent pipe and writing
4616     *       to transport pipe. While there is data to send, call transport.sendBackupData(int) to
4617     *       tell the transport how many bytes to expect on its pipe.
4618     *     - After sending all data, call transport.finishBackup() if things went well. And
4619     *       transport.cancelFullBackup() otherwise.
4620     *
4621     * Interactions with mCurrentOperations:
4622     *     - An entry for this object is added to mCurrentOperations for the entire lifetime of this
4623     *       object. Used to cancel the operation.
4624     *     - SinglePackageBackupRunner and SinglePackageBackupPreflight will put ephemeral entries
4625     *       to get timeouts or operation complete callbacks.
4626     *
4627     * Handling cancels:
4628     *     - The contract we provide is that the task won't interact with the transport after
4629     *       handleCancel() is done executing.
4630     *     - This task blocks at 3 points: 1. Preflight result check 2. Reading on agent side pipe
4631     *       and 3. Get backup result from mBackupRunner.
4632     *     - Bubbling up handleCancel to mBackupRunner handles all 3: 1. Calls handleCancel on the
4633     *       preflight operation which counts down on the preflight latch. 2. Tears down the agent,
4634     *       so read() returns -1. 3. Notifies mCurrentOpLock which unblocks
4635     *       mBackupRunner.getBackupResultBlocking().
4636     */
4637    class PerformFullTransportBackupTask extends FullBackupTask implements BackupRestoreTask {
4638        static final String TAG = "PFTBT";
4639
4640        private final Object mCancelLock = new Object();
4641
4642        ArrayList<PackageInfo> mPackages;
4643        PackageInfo mCurrentPackage;
4644        boolean mUpdateSchedule;
4645        CountDownLatch mLatch;
4646        FullBackupJob mJob;             // if a scheduled job needs to be finished afterwards
4647        IBackupObserver mBackupObserver;
4648        IBackupManagerMonitor mMonitor;
4649        boolean mUserInitiated;
4650        private volatile IBackupTransport mTransport;
4651        SinglePackageBackupRunner mBackupRunner;
4652        private final int mBackupRunnerOpToken;
4653
4654        // This is true when a backup operation for some package is in progress.
4655        private volatile boolean mIsDoingBackup;
4656        private volatile boolean mCancelAll;
4657        private final int mCurrentOpToken;
4658
4659        PerformFullTransportBackupTask(IFullBackupRestoreObserver observer,
4660                String[] whichPackages, boolean updateSchedule,
4661                FullBackupJob runningJob, CountDownLatch latch, IBackupObserver backupObserver,
4662                IBackupManagerMonitor monitor, boolean userInitiated) {
4663            super(observer);
4664            mUpdateSchedule = updateSchedule;
4665            mLatch = latch;
4666            mJob = runningJob;
4667            mPackages = new ArrayList<PackageInfo>(whichPackages.length);
4668            mBackupObserver = backupObserver;
4669            mMonitor = monitor;
4670            mUserInitiated = userInitiated;
4671            mCurrentOpToken = generateRandomIntegerToken();
4672            mBackupRunnerOpToken = generateRandomIntegerToken();
4673
4674            if (isBackupOperationInProgress()) {
4675                if (DEBUG) {
4676                    Slog.d(TAG, "Skipping full backup. A backup is already in progress.");
4677                }
4678                mCancelAll = true;
4679                return;
4680            }
4681
4682            registerTask();
4683
4684            for (String pkg : whichPackages) {
4685                try {
4686                    PackageInfo info = mPackageManager.getPackageInfo(pkg,
4687                            PackageManager.GET_SIGNATURES);
4688                    mCurrentPackage = info;
4689                    if (!appIsEligibleForBackup(info.applicationInfo, mPackageManager)) {
4690                        // Cull any packages that have indicated that backups are not permitted,
4691                        // that run as system-domain uids but do not define their own backup agents,
4692                        // as well as any explicit mention of the 'special' shared-storage agent
4693                        // package (we handle that one at the end).
4694                        if (MORE_DEBUG) {
4695                            Slog.d(TAG, "Ignoring ineligible package " + pkg);
4696                        }
4697                        mMonitor = monitorEvent(mMonitor,
4698                                BackupManagerMonitor.LOG_EVENT_ID_PACKAGE_INELIGIBLE,
4699                                mCurrentPackage,
4700                                BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
4701                                null);
4702                        sendBackupOnPackageResult(mBackupObserver, pkg,
4703                            BackupManager.ERROR_BACKUP_NOT_ALLOWED);
4704                        continue;
4705                    } else if (!appGetsFullBackup(info)) {
4706                        // Cull any packages that are found in the queue but now aren't supposed
4707                        // to get full-data backup operations.
4708                        if (MORE_DEBUG) {
4709                            Slog.d(TAG, "Ignoring full-data backup of key/value participant "
4710                                    + pkg);
4711                        }
4712                        mMonitor = monitorEvent(mMonitor,
4713                                BackupManagerMonitor.LOG_EVENT_ID_PACKAGE_KEY_VALUE_PARTICIPANT,
4714                                mCurrentPackage,
4715                                BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
4716                                null);
4717                        sendBackupOnPackageResult(mBackupObserver, pkg,
4718                                BackupManager.ERROR_BACKUP_NOT_ALLOWED);
4719                        continue;
4720                    } else if (appIsStopped(info.applicationInfo)) {
4721                        // Cull any packages in the 'stopped' state: they've either just been
4722                        // installed or have explicitly been force-stopped by the user.  In both
4723                        // cases we do not want to launch them for backup.
4724                        if (MORE_DEBUG) {
4725                            Slog.d(TAG, "Ignoring stopped package " + pkg);
4726                        }
4727                        mMonitor = monitorEvent(mMonitor,
4728                                BackupManagerMonitor.LOG_EVENT_ID_PACKAGE_STOPPED,
4729                                mCurrentPackage,
4730                                BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
4731                                null);
4732                        sendBackupOnPackageResult(mBackupObserver, pkg,
4733                                BackupManager.ERROR_BACKUP_NOT_ALLOWED);
4734                        continue;
4735                    }
4736                    mPackages.add(info);
4737                } catch (NameNotFoundException e) {
4738                    Slog.i(TAG, "Requested package " + pkg + " not found; ignoring");
4739                    mMonitor = monitorEvent(mMonitor,
4740                            BackupManagerMonitor.LOG_EVENT_ID_PACKAGE_NOT_FOUND,
4741                            mCurrentPackage,
4742                            BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
4743                            null);
4744                }
4745            }
4746        }
4747
4748        private void registerTask() {
4749            synchronized (mCurrentOpLock) {
4750                Slog.d(TAG, "backupmanager pftbt token=" + Integer.toHexString(mCurrentOpToken));
4751                mCurrentOperations.put(mCurrentOpToken, new Operation(OP_PENDING, this,
4752                        OP_TYPE_BACKUP));
4753            }
4754        }
4755
4756        private void unregisterTask() {
4757            removeOperation(mCurrentOpToken);
4758        }
4759
4760        @Override
4761        public void execute() {
4762            // Nothing to do.
4763        }
4764
4765        @Override
4766        public void handleCancel(boolean cancelAll) {
4767            synchronized (mCancelLock) {
4768                // We only support 'cancelAll = true' case for this task. Cancelling of a single package
4769
4770                // due to timeout is handled by SinglePackageBackupRunner and SinglePackageBackupPreflight.
4771
4772                if (!cancelAll) {
4773                    Slog.wtf(TAG, "Expected cancelAll to be true.");
4774                }
4775
4776                if (mCancelAll) {
4777                    Slog.d(TAG, "Ignoring duplicate cancel call.");
4778                    return;
4779                }
4780
4781                mCancelAll = true;
4782                if (mIsDoingBackup) {
4783                    BackupManagerService.this.handleCancel(mBackupRunnerOpToken, cancelAll);
4784                    try {
4785                        mTransport.cancelFullBackup();
4786                    } catch (RemoteException e) {
4787                        Slog.w(TAG, "Error calling cancelFullBackup() on transport: " + e);
4788                        // Can't do much.
4789                    }
4790                }
4791            }
4792        }
4793
4794        @Override
4795        public void operationComplete(long result) {
4796            // Nothing to do.
4797        }
4798
4799        @Override
4800        public void run() {
4801
4802            // data from the app, passed to us for bridging to the transport
4803            ParcelFileDescriptor[] enginePipes = null;
4804
4805            // Pipe through which we write data to the transport
4806            ParcelFileDescriptor[] transportPipes = null;
4807
4808            long backoff = 0;
4809            int backupRunStatus = BackupManager.SUCCESS;
4810
4811            try {
4812                if (!mEnabled || !mProvisioned) {
4813                    // Backups are globally disabled, so don't proceed.
4814                    if (DEBUG) {
4815                        Slog.i(TAG, "full backup requested but enabled=" + mEnabled
4816                                + " provisioned=" + mProvisioned + "; ignoring");
4817                    }
4818                    int monitoringEvent;
4819                    if (!mEnabled) {
4820                        monitoringEvent = BackupManagerMonitor.LOG_EVENT_ID_BACKUP_DISABLED;
4821                    } else {
4822                        monitoringEvent = BackupManagerMonitor.LOG_EVENT_ID_DEVICE_NOT_PROVISIONED;
4823                    }
4824                    mMonitor = monitorEvent(mMonitor, monitoringEvent, null,
4825                            BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY, null);
4826                    mUpdateSchedule = false;
4827                    backupRunStatus = BackupManager.ERROR_BACKUP_NOT_ALLOWED;
4828                    return;
4829                }
4830
4831                mTransport = mTransportManager.getCurrentTransportBinder();
4832                if (mTransport == null) {
4833                    Slog.w(TAG, "Transport not present; full data backup not performed");
4834                    backupRunStatus = BackupManager.ERROR_TRANSPORT_ABORTED;
4835                    mMonitor = monitorEvent(mMonitor,
4836                            BackupManagerMonitor.LOG_EVENT_ID_PACKAGE_TRANSPORT_NOT_PRESENT,
4837                            mCurrentPackage, BackupManagerMonitor.LOG_EVENT_CATEGORY_TRANSPORT,
4838                            null);
4839                    return;
4840                }
4841
4842                // Set up to send data to the transport
4843                final int N = mPackages.size();
4844                final byte[] buffer = new byte[8192];
4845                for (int i = 0; i < N; i++) {
4846                    PackageInfo currentPackage = mPackages.get(i);
4847                    String packageName = currentPackage.packageName;
4848                    if (DEBUG) {
4849                        Slog.i(TAG, "Initiating full-data transport backup of " + packageName
4850                                + " token: " + mCurrentOpToken);
4851                    }
4852                    EventLog.writeEvent(EventLogTags.FULL_BACKUP_PACKAGE, packageName);
4853
4854                    transportPipes = ParcelFileDescriptor.createPipe();
4855
4856                    // Tell the transport the data's coming
4857                    int flags = mUserInitiated ? BackupTransport.FLAG_USER_INITIATED : 0;
4858                    int backupPackageStatus;
4859                    long quota = Long.MAX_VALUE;
4860                    synchronized (mCancelLock) {
4861                        if (mCancelAll) {
4862                            break;
4863                        }
4864                        backupPackageStatus = mTransport.performFullBackup(currentPackage,
4865                                transportPipes[0], flags);
4866
4867                        if (backupPackageStatus == BackupTransport.TRANSPORT_OK) {
4868                            quota = mTransport.getBackupQuota(currentPackage.packageName,
4869                                    true /* isFullBackup */);
4870                            // Now set up the backup engine / data source end of things
4871                            enginePipes = ParcelFileDescriptor.createPipe();
4872                            mBackupRunner =
4873                                    new SinglePackageBackupRunner(enginePipes[1], currentPackage,
4874                                            mTransport, quota, mBackupRunnerOpToken);
4875                            // The runner dup'd the pipe half, so we close it here
4876                            enginePipes[1].close();
4877                            enginePipes[1] = null;
4878
4879                            mIsDoingBackup = true;
4880                        }
4881                    }
4882                    if (backupPackageStatus == BackupTransport.TRANSPORT_OK) {
4883
4884                        // The transport has its own copy of the read end of the pipe,
4885                        // so close ours now
4886                        transportPipes[0].close();
4887                        transportPipes[0] = null;
4888
4889                        // Spin off the runner to fetch the app's data and pipe it
4890                        // into the engine pipes
4891                        (new Thread(mBackupRunner, "package-backup-bridge")).start();
4892
4893                        // Read data off the engine pipe and pass it to the transport
4894                        // pipe until we hit EOD on the input stream.  We do not take
4895                        // close() responsibility for these FDs into these stream wrappers.
4896                        FileInputStream in = new FileInputStream(
4897                                enginePipes[0].getFileDescriptor());
4898                        FileOutputStream out = new FileOutputStream(
4899                                transportPipes[1].getFileDescriptor());
4900                        long totalRead = 0;
4901                        final long preflightResult = mBackupRunner.getPreflightResultBlocking();
4902                        // Preflight result is negative if some error happened on preflight.
4903                        if (preflightResult < 0) {
4904                            if (MORE_DEBUG) {
4905                                Slog.d(TAG, "Backup error after preflight of package "
4906                                        + packageName + ": " + preflightResult
4907                                        + ", not running backup.");
4908                            }
4909                            mMonitor = monitorEvent(mMonitor,
4910                                    BackupManagerMonitor.LOG_EVENT_ID_ERROR_PREFLIGHT,
4911                                    mCurrentPackage,
4912                                    BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
4913                                    putMonitoringExtra(null,
4914                                            BackupManagerMonitor.EXTRA_LOG_PREFLIGHT_ERROR,
4915                                            preflightResult));
4916                            backupPackageStatus = (int) preflightResult;
4917                        } else {
4918                            int nRead = 0;
4919                            do {
4920                                nRead = in.read(buffer);
4921                                if (MORE_DEBUG) {
4922                                    Slog.v(TAG, "in.read(buffer) from app: " + nRead);
4923                                }
4924                                if (nRead > 0) {
4925                                    out.write(buffer, 0, nRead);
4926                                    synchronized (mCancelLock) {
4927                                        if (!mCancelAll) {
4928                                            backupPackageStatus = mTransport.sendBackupData(nRead);
4929                                        }
4930                                    }
4931                                    totalRead += nRead;
4932                                    if (mBackupObserver != null && preflightResult > 0) {
4933                                        sendBackupOnUpdate(mBackupObserver, packageName,
4934                                                new BackupProgress(preflightResult, totalRead));
4935                                    }
4936                                }
4937                            } while (nRead > 0
4938                                    && backupPackageStatus == BackupTransport.TRANSPORT_OK);
4939                            // Despite preflight succeeded, package still can hit quota on flight.
4940                            if (backupPackageStatus == BackupTransport.TRANSPORT_QUOTA_EXCEEDED) {
4941                                Slog.w(TAG, "Package hit quota limit in-flight " + packageName
4942                                        + ": " + totalRead + " of " + quota);
4943                                mMonitor = monitorEvent(mMonitor,
4944                                        BackupManagerMonitor.LOG_EVENT_ID_QUOTA_HIT_PREFLIGHT,
4945                                        mCurrentPackage,
4946                                        BackupManagerMonitor.LOG_EVENT_CATEGORY_TRANSPORT,
4947                                        null);
4948                                mBackupRunner.sendQuotaExceeded(totalRead, quota);
4949                            }
4950                        }
4951
4952                        final int backupRunnerResult = mBackupRunner.getBackupResultBlocking();
4953
4954                        synchronized (mCancelLock) {
4955                            mIsDoingBackup = false;
4956                            // If mCancelCurrent is true, we have already called cancelFullBackup().
4957                            if (!mCancelAll) {
4958                                if (backupRunnerResult == BackupTransport.TRANSPORT_OK) {
4959                                    // If we were otherwise in a good state, now interpret the final
4960                                    // result based on what finishBackup() returns.  If we're in a
4961                                    // failure case already, preserve that result and ignore whatever
4962                                    // finishBackup() reports.
4963                                    final int finishResult = mTransport.finishBackup();
4964                                    if (backupPackageStatus == BackupTransport.TRANSPORT_OK) {
4965                                        backupPackageStatus = finishResult;
4966                                    }
4967                                } else {
4968                                    mTransport.cancelFullBackup();
4969                                }
4970                            }
4971                        }
4972
4973                        // A transport-originated error here means that we've hit an error that the
4974                        // runner doesn't know about, so it's still moving data but we're pulling the
4975                        // rug out from under it.  Don't ask for its result:  we already know better
4976                        // and we'll hang if we block waiting for it, since it relies on us to
4977                        // read back the data it's writing into the engine.  Just proceed with
4978                        // a graceful failure.  The runner/engine mechanism will tear itself
4979                        // down cleanly when we close the pipes from this end.  Transport-level
4980                        // errors take precedence over agent/app-specific errors for purposes of
4981                        // determining our course of action.
4982                        if (backupPackageStatus == BackupTransport.TRANSPORT_OK) {
4983                            // We still could fail in backup runner thread.
4984                            if (backupRunnerResult != BackupTransport.TRANSPORT_OK) {
4985                                // If there was an error in runner thread and
4986                                // not TRANSPORT_ERROR here, overwrite it.
4987                                backupPackageStatus = backupRunnerResult;
4988                            }
4989                        } else {
4990                            if (MORE_DEBUG) {
4991                                Slog.i(TAG, "Transport-level failure; cancelling agent work");
4992                            }
4993                        }
4994
4995                        if (MORE_DEBUG) {
4996                            Slog.i(TAG, "Done delivering backup data: result="
4997                                    + backupPackageStatus);
4998                        }
4999
5000                        if (backupPackageStatus != BackupTransport.TRANSPORT_OK) {
5001                            Slog.e(TAG, "Error " + backupPackageStatus + " backing up "
5002                                    + packageName);
5003                        }
5004
5005                        // Also ask the transport how long it wants us to wait before
5006                        // moving on to the next package, if any.
5007                        backoff = mTransport.requestFullBackupTime();
5008                        if (DEBUG_SCHEDULING) {
5009                            Slog.i(TAG, "Transport suggested backoff=" + backoff);
5010                        }
5011
5012                    }
5013
5014                    // Roll this package to the end of the backup queue if we're
5015                    // in a queue-driven mode (regardless of success/failure)
5016                    if (mUpdateSchedule) {
5017                        enqueueFullBackup(packageName, System.currentTimeMillis());
5018                    }
5019
5020                    if (backupPackageStatus == BackupTransport.TRANSPORT_PACKAGE_REJECTED) {
5021                        sendBackupOnPackageResult(mBackupObserver, packageName,
5022                                BackupManager.ERROR_TRANSPORT_PACKAGE_REJECTED);
5023                        if (DEBUG) {
5024                            Slog.i(TAG, "Transport rejected backup of " + packageName
5025                                    + ", skipping");
5026                        }
5027                        EventLog.writeEvent(EventLogTags.FULL_BACKUP_AGENT_FAILURE, packageName,
5028                                "transport rejected");
5029                        // Do nothing, clean up, and continue looping.
5030                    } else if (backupPackageStatus == BackupTransport.TRANSPORT_QUOTA_EXCEEDED) {
5031                        sendBackupOnPackageResult(mBackupObserver, packageName,
5032                                BackupManager.ERROR_TRANSPORT_QUOTA_EXCEEDED);
5033                        if (DEBUG) {
5034                            Slog.i(TAG, "Transport quota exceeded for package: " + packageName);
5035                            EventLog.writeEvent(EventLogTags.FULL_BACKUP_QUOTA_EXCEEDED,
5036                                    packageName);
5037                        }
5038                        // Do nothing, clean up, and continue looping.
5039                    } else if (backupPackageStatus == BackupTransport.AGENT_ERROR) {
5040                        sendBackupOnPackageResult(mBackupObserver, packageName,
5041                                BackupManager.ERROR_AGENT_FAILURE);
5042                        Slog.w(TAG, "Application failure for package: " + packageName);
5043                        EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, packageName);
5044                        tearDownAgentAndKill(currentPackage.applicationInfo);
5045                        // Do nothing, clean up, and continue looping.
5046                    } else if (backupPackageStatus == BackupManager.ERROR_BACKUP_CANCELLED) {
5047                        sendBackupOnPackageResult(mBackupObserver, packageName,
5048                                BackupManager.ERROR_BACKUP_CANCELLED);
5049                        Slog.w(TAG, "Backup cancelled. package=" + packageName +
5050                                ", cancelAll=" + mCancelAll);
5051                        EventLog.writeEvent(EventLogTags.FULL_BACKUP_CANCELLED, packageName);
5052                        tearDownAgentAndKill(currentPackage.applicationInfo);
5053                        // Do nothing, clean up, and continue looping.
5054                    } else if (backupPackageStatus != BackupTransport.TRANSPORT_OK) {
5055                        sendBackupOnPackageResult(mBackupObserver, packageName,
5056                            BackupManager.ERROR_TRANSPORT_ABORTED);
5057                        Slog.w(TAG, "Transport failed; aborting backup: " + backupPackageStatus);
5058                        EventLog.writeEvent(EventLogTags.FULL_BACKUP_TRANSPORT_FAILURE);
5059                        // Abort entire backup pass.
5060                        backupRunStatus = BackupManager.ERROR_TRANSPORT_ABORTED;
5061                        return;
5062                    } else {
5063                        // Success!
5064                        sendBackupOnPackageResult(mBackupObserver, packageName,
5065                                BackupManager.SUCCESS);
5066                        EventLog.writeEvent(EventLogTags.FULL_BACKUP_SUCCESS, packageName);
5067                        logBackupComplete(packageName);
5068                    }
5069                    cleanUpPipes(transportPipes);
5070                    cleanUpPipes(enginePipes);
5071                    if (currentPackage.applicationInfo != null) {
5072                        Slog.i(TAG, "Unbinding agent in " + packageName);
5073                        addBackupTrace("unbinding " + packageName);
5074                        try {
5075                            mActivityManager.unbindBackupAgent(currentPackage.applicationInfo);
5076                        } catch (RemoteException e) { /* can't happen; activity manager is local */ }
5077                    }
5078                }
5079            } catch (Exception e) {
5080                backupRunStatus = BackupManager.ERROR_TRANSPORT_ABORTED;
5081                Slog.w(TAG, "Exception trying full transport backup", e);
5082                mMonitor = monitorEvent(mMonitor,
5083                        BackupManagerMonitor.LOG_EVENT_ID_EXCEPTION_FULL_BACKUP,
5084                        mCurrentPackage,
5085                        BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
5086                        putMonitoringExtra(null,
5087                                BackupManagerMonitor.EXTRA_LOG_EXCEPTION_FULL_BACKUP,
5088                                Log.getStackTraceString(e)));
5089
5090            } finally {
5091
5092                if (mCancelAll) {
5093                    backupRunStatus = BackupManager.ERROR_BACKUP_CANCELLED;
5094                }
5095
5096                if (DEBUG) {
5097                    Slog.i(TAG, "Full backup completed with status: " + backupRunStatus);
5098                }
5099                sendBackupFinished(mBackupObserver, backupRunStatus);
5100
5101                cleanUpPipes(transportPipes);
5102                cleanUpPipes(enginePipes);
5103
5104                unregisterTask();
5105
5106                if (mJob != null) {
5107                    mJob.finishBackupPass();
5108                }
5109
5110                synchronized (mQueueLock) {
5111                    mRunningFullBackupTask = null;
5112                }
5113
5114                mLatch.countDown();
5115
5116                // Now that we're actually done with schedule-driven work, reschedule
5117                // the next pass based on the new queue state.
5118                if (mUpdateSchedule) {
5119                    scheduleNextFullBackupJob(backoff);
5120                }
5121
5122                Slog.i(BackupManagerService.TAG, "Full data backup pass finished.");
5123                mWakelock.release();
5124            }
5125        }
5126
5127        void cleanUpPipes(ParcelFileDescriptor[] pipes) {
5128            if (pipes != null) {
5129                if (pipes[0] != null) {
5130                    ParcelFileDescriptor fd = pipes[0];
5131                    pipes[0] = null;
5132                    try {
5133                        fd.close();
5134                    } catch (IOException e) {
5135                        Slog.w(TAG, "Unable to close pipe!");
5136                    }
5137                }
5138                if (pipes[1] != null) {
5139                    ParcelFileDescriptor fd = pipes[1];
5140                    pipes[1] = null;
5141                    try {
5142                        fd.close();
5143                    } catch (IOException e) {
5144                        Slog.w(TAG, "Unable to close pipe!");
5145                    }
5146                }
5147            }
5148        }
5149
5150        // Run the backup and pipe it back to the given socket -- expects to run on
5151        // a standalone thread.  The  runner owns this half of the pipe, and closes
5152        // it to indicate EOD to the other end.
5153        class SinglePackageBackupPreflight implements BackupRestoreTask, FullBackupPreflight {
5154            final AtomicLong mResult = new AtomicLong(BackupTransport.AGENT_ERROR);
5155            final CountDownLatch mLatch = new CountDownLatch(1);
5156            final IBackupTransport mTransport;
5157            final long mQuota;
5158            private final int mCurrentOpToken;
5159
5160            SinglePackageBackupPreflight(IBackupTransport transport, long quota, int currentOpToken) {
5161                mTransport = transport;
5162                mQuota = quota;
5163                mCurrentOpToken = currentOpToken;
5164            }
5165
5166            @Override
5167            public int preflightFullBackup(PackageInfo pkg, IBackupAgent agent) {
5168                int result;
5169                try {
5170                    prepareOperationTimeout(mCurrentOpToken, TIMEOUT_FULL_BACKUP_INTERVAL,
5171                            this, OP_TYPE_BACKUP_WAIT);
5172                    addBackupTrace("preflighting");
5173                    if (MORE_DEBUG) {
5174                        Slog.d(TAG, "Preflighting full payload of " + pkg.packageName);
5175                    }
5176                    agent.doMeasureFullBackup(mQuota, mCurrentOpToken, mBackupManagerBinder);
5177
5178                    // Now wait to get our result back.  If this backstop timeout is reached without
5179                    // the latch being thrown, flow will continue as though a result or "normal"
5180                    // timeout had been produced.  In case of a real backstop timeout, mResult
5181                    // will still contain the value it was constructed with, AGENT_ERROR, which
5182                    // intentionaly falls into the "just report failure" code.
5183                    mLatch.await(TIMEOUT_FULL_BACKUP_INTERVAL, TimeUnit.MILLISECONDS);
5184
5185                    long totalSize = mResult.get();
5186                    // If preflight timed out, mResult will contain error code as int.
5187                    if (totalSize < 0) {
5188                        return (int) totalSize;
5189                    }
5190                    if (MORE_DEBUG) {
5191                        Slog.v(TAG, "Got preflight response; size=" + totalSize);
5192                    }
5193
5194                    result = mTransport.checkFullBackupSize(totalSize);
5195                    if (result == BackupTransport.TRANSPORT_QUOTA_EXCEEDED) {
5196                        if (MORE_DEBUG) {
5197                            Slog.d(TAG, "Package hit quota limit on preflight " +
5198                                    pkg.packageName + ": " + totalSize + " of " + mQuota);
5199                        }
5200                        agent.doQuotaExceeded(totalSize, mQuota);
5201                    }
5202                } catch (Exception e) {
5203                    Slog.w(TAG, "Exception preflighting " + pkg.packageName + ": " + e.getMessage());
5204                    result = BackupTransport.AGENT_ERROR;
5205                }
5206                return result;
5207            }
5208
5209            @Override
5210            public void execute() {
5211                // Unused.
5212            }
5213
5214            @Override
5215            public void operationComplete(long result) {
5216                // got the callback, and our preflightFullBackup() method is waiting for the result
5217                if (MORE_DEBUG) {
5218                    Slog.i(TAG, "Preflight op complete, result=" + result);
5219                }
5220                mResult.set(result);
5221                mLatch.countDown();
5222                removeOperation(mCurrentOpToken);
5223            }
5224
5225            @Override
5226            public void handleCancel(boolean cancelAll) {
5227                if (MORE_DEBUG) {
5228                    Slog.i(TAG, "Preflight cancelled; failing");
5229                }
5230                mResult.set(BackupTransport.AGENT_ERROR);
5231                mLatch.countDown();
5232                removeOperation(mCurrentOpToken);
5233            }
5234
5235            @Override
5236            public long getExpectedSizeOrErrorCode() {
5237                try {
5238                    mLatch.await(TIMEOUT_FULL_BACKUP_INTERVAL, TimeUnit.MILLISECONDS);
5239                    return mResult.get();
5240                } catch (InterruptedException e) {
5241                    return BackupTransport.NO_MORE_DATA;
5242                }
5243            }
5244        }
5245
5246        class SinglePackageBackupRunner implements Runnable, BackupRestoreTask {
5247            final ParcelFileDescriptor mOutput;
5248            final PackageInfo mTarget;
5249            final SinglePackageBackupPreflight mPreflight;
5250            final CountDownLatch mPreflightLatch;
5251            final CountDownLatch mBackupLatch;
5252            private final int mCurrentOpToken;
5253            private final int mEphemeralToken;
5254            private FullBackupEngine mEngine;
5255            private volatile int mPreflightResult;
5256            private volatile int mBackupResult;
5257            private final long mQuota;
5258            private volatile boolean mIsCancelled;
5259
5260            SinglePackageBackupRunner(ParcelFileDescriptor output, PackageInfo target,
5261                    IBackupTransport transport, long quota, int currentOpToken) throws IOException {
5262                mOutput = ParcelFileDescriptor.dup(output.getFileDescriptor());
5263                mTarget = target;
5264                mCurrentOpToken = currentOpToken;
5265                mEphemeralToken = generateRandomIntegerToken();
5266                mPreflight = new SinglePackageBackupPreflight(transport, quota, mEphemeralToken);
5267                mPreflightLatch = new CountDownLatch(1);
5268                mBackupLatch = new CountDownLatch(1);
5269                mPreflightResult = BackupTransport.AGENT_ERROR;
5270                mBackupResult = BackupTransport.AGENT_ERROR;
5271                mQuota = quota;
5272                registerTask();
5273            }
5274
5275            void registerTask() {
5276                synchronized (mCurrentOpLock) {
5277                    mCurrentOperations.put(mCurrentOpToken, new Operation(OP_PENDING, this,
5278                            OP_TYPE_BACKUP_WAIT));
5279                }
5280            }
5281
5282            void unregisterTask() {
5283                synchronized (mCurrentOpLock) {
5284                    mCurrentOperations.remove(mCurrentOpToken);
5285                }
5286            }
5287
5288            @Override
5289            public void run() {
5290                FileOutputStream out = new FileOutputStream(mOutput.getFileDescriptor());
5291                mEngine = new FullBackupEngine(out, mPreflight, mTarget, false, this, mQuota, mCurrentOpToken);
5292                try {
5293                    try {
5294                        if (!mIsCancelled) {
5295                            mPreflightResult = mEngine.preflightCheck();
5296                        }
5297                    } finally {
5298                        mPreflightLatch.countDown();
5299                    }
5300                    // If there is no error on preflight, continue backup.
5301                    if (mPreflightResult == BackupTransport.TRANSPORT_OK) {
5302                        if (!mIsCancelled) {
5303                            mBackupResult = mEngine.backupOnePackage();
5304                        }
5305                    }
5306                } catch (Exception e) {
5307                    Slog.e(TAG, "Exception during full package backup of " + mTarget.packageName);
5308                } finally {
5309                    unregisterTask();
5310                    mBackupLatch.countDown();
5311                    try {
5312                        mOutput.close();
5313                    } catch (IOException e) {
5314                        Slog.w(TAG, "Error closing transport pipe in runner");
5315                    }
5316                }
5317            }
5318
5319            public void sendQuotaExceeded(final long backupDataBytes, final long quotaBytes) {
5320                mEngine.sendQuotaExceeded(backupDataBytes, quotaBytes);
5321            }
5322
5323            // If preflight succeeded, returns positive number - preflight size,
5324            // otherwise return negative error code.
5325            long getPreflightResultBlocking() {
5326                try {
5327                    mPreflightLatch.await(TIMEOUT_FULL_BACKUP_INTERVAL, TimeUnit.MILLISECONDS);
5328                    if (mIsCancelled) {
5329                        return BackupManager.ERROR_BACKUP_CANCELLED;
5330                    }
5331                    if (mPreflightResult == BackupTransport.TRANSPORT_OK) {
5332                        return mPreflight.getExpectedSizeOrErrorCode();
5333                    } else {
5334                        return mPreflightResult;
5335                    }
5336                } catch (InterruptedException e) {
5337                    return BackupTransport.AGENT_ERROR;
5338                }
5339            }
5340
5341            int getBackupResultBlocking() {
5342                try {
5343                    mBackupLatch.await(TIMEOUT_FULL_BACKUP_INTERVAL, TimeUnit.MILLISECONDS);
5344                    if (mIsCancelled) {
5345                        return BackupManager.ERROR_BACKUP_CANCELLED;
5346                    }
5347                    return mBackupResult;
5348                } catch (InterruptedException e) {
5349                    return BackupTransport.AGENT_ERROR;
5350                }
5351            }
5352
5353
5354            // BackupRestoreTask interface: specifically, timeout detection
5355
5356            @Override
5357            public void execute() { /* intentionally empty */ }
5358
5359            @Override
5360            public void operationComplete(long result) { /* intentionally empty */ }
5361
5362            @Override
5363            public void handleCancel(boolean cancelAll) {
5364                if (DEBUG) {
5365                    Slog.w(TAG, "Full backup cancel of " + mTarget.packageName);
5366                }
5367
5368                mMonitor = monitorEvent(mMonitor,
5369                        BackupManagerMonitor.LOG_EVENT_ID_FULL_BACKUP_CANCEL,
5370                        mCurrentPackage, BackupManagerMonitor.LOG_EVENT_CATEGORY_AGENT, null);
5371                mIsCancelled = true;
5372                // Cancel tasks spun off by this task.
5373                BackupManagerService.this.handleCancel(mEphemeralToken, cancelAll);
5374                tearDownAgentAndKill(mTarget.applicationInfo);
5375                // Free up everyone waiting on this task and its children.
5376                mPreflightLatch.countDown();
5377                mBackupLatch.countDown();
5378                // We are done with this operation.
5379                removeOperation(mCurrentOpToken);
5380            }
5381        }
5382    }
5383
5384    // ----- Full-data backup scheduling -----
5385
5386    /**
5387     * Schedule a job to tell us when it's a good time to run a full backup
5388     */
5389    void scheduleNextFullBackupJob(long transportMinLatency) {
5390        synchronized (mQueueLock) {
5391            if (mFullBackupQueue.size() > 0) {
5392                // schedule the next job at the point in the future when the least-recently
5393                // backed up app comes due for backup again; or immediately if it's already
5394                // due.
5395                final long upcomingLastBackup = mFullBackupQueue.get(0).lastBackup;
5396                final long timeSinceLast = System.currentTimeMillis() - upcomingLastBackup;
5397                final long appLatency = (timeSinceLast < MIN_FULL_BACKUP_INTERVAL)
5398                        ? (MIN_FULL_BACKUP_INTERVAL - timeSinceLast) : 0;
5399                final long latency = Math.max(transportMinLatency, appLatency);
5400                Runnable r = new Runnable() {
5401                    @Override public void run() {
5402                        FullBackupJob.schedule(mContext, latency);
5403                    }
5404                };
5405                mBackupHandler.postDelayed(r, 2500);
5406            } else {
5407                if (DEBUG_SCHEDULING) {
5408                    Slog.i(TAG, "Full backup queue empty; not scheduling");
5409                }
5410            }
5411        }
5412    }
5413
5414    /**
5415     * Remove a package from the full-data queue.
5416     */
5417    void dequeueFullBackupLocked(String packageName) {
5418        final int N = mFullBackupQueue.size();
5419        for (int i = N-1; i >= 0; i--) {
5420            final FullBackupEntry e = mFullBackupQueue.get(i);
5421            if (packageName.equals(e.packageName)) {
5422                mFullBackupQueue.remove(i);
5423            }
5424        }
5425    }
5426
5427    /**
5428     * Enqueue full backup for the given app, with a note about when it last ran.
5429     */
5430    void enqueueFullBackup(String packageName, long lastBackedUp) {
5431        FullBackupEntry newEntry = new FullBackupEntry(packageName, lastBackedUp);
5432        synchronized (mQueueLock) {
5433            // First, sanity check that we aren't adding a duplicate.  Slow but
5434            // straightforward; we'll have at most on the order of a few hundred
5435            // items in this list.
5436            dequeueFullBackupLocked(packageName);
5437
5438            // This is also slow but easy for modest numbers of apps: work backwards
5439            // from the end of the queue until we find an item whose last backup
5440            // time was before this one, then insert this new entry after it.  If we're
5441            // adding something new we don't bother scanning, and just prepend.
5442            int which = -1;
5443            if (lastBackedUp > 0) {
5444                for (which = mFullBackupQueue.size() - 1; which >= 0; which--) {
5445                    final FullBackupEntry entry = mFullBackupQueue.get(which);
5446                    if (entry.lastBackup <= lastBackedUp) {
5447                        mFullBackupQueue.add(which + 1, newEntry);
5448                        break;
5449                    }
5450                }
5451            }
5452            if (which < 0) {
5453                // this one is earlier than any existing one, so prepend
5454                mFullBackupQueue.add(0, newEntry);
5455            }
5456        }
5457        writeFullBackupScheduleAsync();
5458    }
5459
5460    private boolean fullBackupAllowable(IBackupTransport transport) {
5461        if (transport == null) {
5462            Slog.w(TAG, "Transport not present; full data backup not performed");
5463            return false;
5464        }
5465
5466        // Don't proceed unless we have already established package metadata
5467        // for the current dataset via a key/value backup pass.
5468        try {
5469            File stateDir = new File(mBaseStateDir, transport.transportDirName());
5470            File pmState = new File(stateDir, PACKAGE_MANAGER_SENTINEL);
5471            if (pmState.length() <= 0) {
5472                if (DEBUG) {
5473                    Slog.i(TAG, "Full backup requested but dataset not yet initialized");
5474                }
5475                return false;
5476            }
5477        } catch (Exception e) {
5478            Slog.w(TAG, "Unable to get transport name: " + e.getMessage());
5479            return false;
5480        }
5481
5482        return true;
5483    }
5484
5485    /**
5486     * Conditions are right for a full backup operation, so run one.  The model we use is
5487     * to perform one app backup per scheduled job execution, and to reschedule the job
5488     * with zero latency as long as conditions remain right and we still have work to do.
5489     *
5490     * <p>This is the "start a full backup operation" entry point called by the scheduled job.
5491     *
5492     * @return Whether ongoing work will continue.  The return value here will be passed
5493     *         along as the return value to the scheduled job's onStartJob() callback.
5494     */
5495    @Override
5496    public boolean beginFullBackup(FullBackupJob scheduledJob) {
5497        long now = System.currentTimeMillis();
5498        FullBackupEntry entry = null;
5499        long latency = MIN_FULL_BACKUP_INTERVAL;
5500
5501        if (!mEnabled || !mProvisioned) {
5502            // Backups are globally disabled, so don't proceed.  We also don't reschedule
5503            // the job driving automatic backups; that job will be scheduled again when
5504            // the user enables backup.
5505            if (MORE_DEBUG) {
5506                Slog.i(TAG, "beginFullBackup but e=" + mEnabled
5507                        + " p=" + mProvisioned + "; ignoring");
5508            }
5509            return false;
5510        }
5511
5512        // Don't run the backup if we're in battery saver mode, but reschedule
5513        // to try again in the not-so-distant future.
5514        final PowerSaveState result =
5515                mPowerManager.getPowerSaveState(ServiceType.FULL_BACKUP);
5516        if (result.batterySaverEnabled) {
5517            if (DEBUG) Slog.i(TAG, "Deferring scheduled full backups in battery saver mode");
5518            FullBackupJob.schedule(mContext, KeyValueBackupJob.BATCH_INTERVAL);
5519            return false;
5520        }
5521
5522        if (DEBUG_SCHEDULING) {
5523            Slog.i(TAG, "Beginning scheduled full backup operation");
5524        }
5525
5526        // Great; we're able to run full backup jobs now.  See if we have any work to do.
5527        synchronized (mQueueLock) {
5528            if (mRunningFullBackupTask != null) {
5529                Slog.e(TAG, "Backup triggered but one already/still running!");
5530                return false;
5531            }
5532
5533            // At this point we think that we have work to do, but possibly not right now.
5534            // Any exit without actually running backups will also require that we
5535            // reschedule the job.
5536            boolean runBackup = true;
5537            boolean headBusy;
5538
5539            do {
5540                // Recheck each time, because culling due to ineligibility may
5541                // have emptied the queue.
5542                if (mFullBackupQueue.size() == 0) {
5543                    // no work to do so just bow out
5544                    if (DEBUG) {
5545                        Slog.i(TAG, "Backup queue empty; doing nothing");
5546                    }
5547                    runBackup = false;
5548                    break;
5549                }
5550
5551                headBusy = false;
5552
5553                if (!fullBackupAllowable(mTransportManager.getCurrentTransportBinder())) {
5554                    if (MORE_DEBUG) {
5555                        Slog.i(TAG, "Preconditions not met; not running full backup");
5556                    }
5557                    runBackup = false;
5558                    // Typically this means we haven't run a key/value backup yet.  Back off
5559                    // full-backup operations by the key/value job's run interval so that
5560                    // next time we run, we are likely to be able to make progress.
5561                    latency = KeyValueBackupJob.BATCH_INTERVAL;
5562                }
5563
5564                if (runBackup) {
5565                    entry = mFullBackupQueue.get(0);
5566                    long timeSinceRun = now - entry.lastBackup;
5567                    runBackup = (timeSinceRun >= MIN_FULL_BACKUP_INTERVAL);
5568                    if (!runBackup) {
5569                        // It's too early to back up the next thing in the queue, so bow out
5570                        if (MORE_DEBUG) {
5571                            Slog.i(TAG, "Device ready but too early to back up next app");
5572                        }
5573                        // Wait until the next app in the queue falls due for a full data backup
5574                        latency = MIN_FULL_BACKUP_INTERVAL - timeSinceRun;
5575                        break;  // we know we aren't doing work yet, so bail.
5576                    }
5577
5578                    try {
5579                        PackageInfo appInfo = mPackageManager.getPackageInfo(entry.packageName, 0);
5580                        if (!appGetsFullBackup(appInfo)) {
5581                            // The head app isn't supposed to get full-data backups [any more];
5582                            // so we cull it and force a loop around to consider the new head
5583                            // app.
5584                            if (MORE_DEBUG) {
5585                                Slog.i(TAG, "Culling package " + entry.packageName
5586                                        + " in full-backup queue but not eligible");
5587                            }
5588                            mFullBackupQueue.remove(0);
5589                            headBusy = true; // force the while() condition
5590                            continue;
5591                        }
5592
5593                        final int privFlags = appInfo.applicationInfo.privateFlags;
5594                        headBusy = (privFlags & PRIVATE_FLAG_BACKUP_IN_FOREGROUND) == 0
5595                                && mActivityManager.isAppForeground(appInfo.applicationInfo.uid);
5596
5597                        if (headBusy) {
5598                            final long nextEligible = System.currentTimeMillis()
5599                                    + BUSY_BACKOFF_MIN_MILLIS
5600                                    + mTokenGenerator.nextInt(BUSY_BACKOFF_FUZZ);
5601                            if (DEBUG_SCHEDULING) {
5602                                SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
5603                                Slog.i(TAG, "Full backup time but " + entry.packageName
5604                                        + " is busy; deferring to "
5605                                        + sdf.format(new Date(nextEligible)));
5606                            }
5607                            // This relocates the app's entry from the head of the queue to
5608                            // its order-appropriate position further down, so upon looping
5609                            // a new candidate will be considered at the head.
5610                            enqueueFullBackup(entry.packageName,
5611                                    nextEligible - MIN_FULL_BACKUP_INTERVAL);
5612                        }
5613                    } catch (NameNotFoundException nnf) {
5614                        // So, we think we want to back this up, but it turns out the package
5615                        // in question is no longer installed.  We want to drop it from the
5616                        // queue entirely and move on, but if there's nothing else in the queue
5617                        // we should bail entirely.  headBusy cannot have been set to true yet.
5618                        runBackup = (mFullBackupQueue.size() > 1);
5619                    } catch (RemoteException e) {
5620                        // Cannot happen; the Activity Manager is in the same process
5621                    }
5622                }
5623            } while (headBusy);
5624
5625            if (!runBackup) {
5626                if (DEBUG_SCHEDULING) {
5627                    Slog.i(TAG, "Nothing pending full backup; rescheduling +" + latency);
5628                }
5629                final long deferTime = latency;     // pin for the closure
5630                mBackupHandler.post(new Runnable() {
5631                    @Override public void run() {
5632                        FullBackupJob.schedule(mContext, deferTime);
5633                    }
5634                });
5635                return false;
5636            }
5637
5638            // Okay, the top thing is ready for backup now.  Do it.
5639            mFullBackupQueue.remove(0);
5640            CountDownLatch latch = new CountDownLatch(1);
5641            String[] pkg = new String[] {entry.packageName};
5642            mRunningFullBackupTask = new PerformFullTransportBackupTask(null, pkg, true,
5643                    scheduledJob, latch, null, null, false /* userInitiated */);
5644            // Acquiring wakelock for PerformFullTransportBackupTask before its start.
5645            mWakelock.acquire();
5646            (new Thread(mRunningFullBackupTask)).start();
5647        }
5648
5649        return true;
5650    }
5651
5652    // The job scheduler says our constraints don't hold any more,
5653    // so tear down any ongoing backup task right away.
5654    @Override
5655    public void endFullBackup() {
5656        // offload the mRunningFullBackupTask.handleCancel() call to another thread,
5657        // as we might have to wait for mCancelLock
5658        Runnable endFullBackupRunnable = new Runnable() {
5659            @Override
5660            public void run() {
5661                PerformFullTransportBackupTask pftbt = null;
5662                synchronized (mQueueLock) {
5663                    if (mRunningFullBackupTask != null) {
5664                        if (DEBUG_SCHEDULING) {
5665                            Slog.i(TAG, "Telling running backup to stop");
5666                        }
5667                        pftbt = mRunningFullBackupTask;
5668                    }
5669                }
5670                pftbt.handleCancel(true);
5671            }
5672        };
5673        new Thread(endFullBackupRunnable, "end-full-backup").start();
5674    }
5675
5676    // ----- Restore infrastructure -----
5677
5678    abstract class RestoreEngine {
5679        static final String TAG = "RestoreEngine";
5680
5681        public static final int SUCCESS = 0;
5682        public static final int TARGET_FAILURE = -2;
5683        public static final int TRANSPORT_FAILURE = -3;
5684
5685        private AtomicBoolean mRunning = new AtomicBoolean(false);
5686        private AtomicInteger mResult = new AtomicInteger(SUCCESS);
5687
5688        public boolean isRunning() {
5689            return mRunning.get();
5690        }
5691
5692        public void setRunning(boolean stillRunning) {
5693            synchronized (mRunning) {
5694                mRunning.set(stillRunning);
5695                mRunning.notifyAll();
5696            }
5697        }
5698
5699        public int waitForResult() {
5700            synchronized (mRunning) {
5701                while (isRunning()) {
5702                    try {
5703                        mRunning.wait();
5704                    } catch (InterruptedException e) {}
5705                }
5706            }
5707            return getResult();
5708        }
5709
5710        public int getResult() {
5711            return mResult.get();
5712        }
5713
5714        public void setResult(int result) {
5715            mResult.set(result);
5716        }
5717
5718        // TODO: abstract restore state and APIs
5719    }
5720
5721    // ----- Full restore from a file/socket -----
5722
5723    enum RestorePolicy {
5724        IGNORE,
5725        ACCEPT,
5726        ACCEPT_IF_APK
5727    }
5728
5729    // Full restore engine, used by both adb restore and transport-based full restore
5730    class FullRestoreEngine extends RestoreEngine {
5731        // Task in charge of monitoring timeouts
5732        BackupRestoreTask mMonitorTask;
5733
5734        // Dedicated observer, if any
5735        IFullBackupRestoreObserver mObserver;
5736
5737        IBackupManagerMonitor mMonitor;
5738
5739        // Where we're delivering the file data as we go
5740        IBackupAgent mAgent;
5741
5742        // Are we permitted to only deliver a specific package's metadata?
5743        PackageInfo mOnlyPackage;
5744
5745        boolean mAllowApks;
5746        boolean mAllowObbs;
5747
5748        // Which package are we currently handling data for?
5749        String mAgentPackage;
5750
5751        // Info for working with the target app process
5752        ApplicationInfo mTargetApp;
5753
5754        // Machinery for restoring OBBs
5755        FullBackupObbConnection mObbConnection = null;
5756
5757        // possible handling states for a given package in the restore dataset
5758        final HashMap<String, RestorePolicy> mPackagePolicies
5759                = new HashMap<String, RestorePolicy>();
5760
5761        // installer package names for each encountered app, derived from the manifests
5762        final HashMap<String, String> mPackageInstallers = new HashMap<String, String>();
5763
5764        // Signatures for a given package found in its manifest file
5765        final HashMap<String, Signature[]> mManifestSignatures
5766                = new HashMap<String, Signature[]>();
5767
5768        // Packages we've already wiped data on when restoring their first file
5769        final HashSet<String> mClearedPackages = new HashSet<String>();
5770
5771        // How much data have we moved?
5772        long mBytes;
5773
5774        // Working buffer
5775        byte[] mBuffer;
5776
5777        // Pipes for moving data
5778        ParcelFileDescriptor[] mPipes = null;
5779
5780        // Widget blob to be restored out-of-band
5781        byte[] mWidgetData = null;
5782
5783        private final int mEphemeralOpToken;
5784
5785        // Runner that can be placed in a separate thread to do in-process
5786        // invocations of the full restore API asynchronously. Used by adb restore.
5787        class RestoreFileRunnable implements Runnable {
5788            IBackupAgent mAgent;
5789            FileMetadata mInfo;
5790            ParcelFileDescriptor mSocket;
5791            int mToken;
5792
5793            RestoreFileRunnable(IBackupAgent agent, FileMetadata info,
5794                    ParcelFileDescriptor socket, int token) throws IOException {
5795                mAgent = agent;
5796                mInfo = info;
5797                mToken = token;
5798
5799                // This class is used strictly for process-local binder invocations.  The
5800                // semantics of ParcelFileDescriptor differ in this case; in particular, we
5801                // do not automatically get a 'dup'ed descriptor that we can can continue
5802                // to use asynchronously from the caller.  So, we make sure to dup it ourselves
5803                // before proceeding to do the restore.
5804                mSocket = ParcelFileDescriptor.dup(socket.getFileDescriptor());
5805            }
5806
5807            @Override
5808            public void run() {
5809                try {
5810                    mAgent.doRestoreFile(mSocket, mInfo.size, mInfo.type,
5811                            mInfo.domain, mInfo.path, mInfo.mode, mInfo.mtime,
5812                            mToken, mBackupManagerBinder);
5813                } catch (RemoteException e) {
5814                    // never happens; this is used strictly for local binder calls
5815                }
5816            }
5817        }
5818
5819        public FullRestoreEngine(BackupRestoreTask monitorTask, IFullBackupRestoreObserver observer,
5820                IBackupManagerMonitor monitor, PackageInfo onlyPackage, boolean allowApks,
5821                boolean allowObbs, int ephemeralOpToken) {
5822            mEphemeralOpToken = ephemeralOpToken;
5823            mMonitorTask = monitorTask;
5824            mObserver = observer;
5825            mMonitor = monitor;
5826            mOnlyPackage = onlyPackage;
5827            mAllowApks = allowApks;
5828            mAllowObbs = allowObbs;
5829            mBuffer = new byte[32 * 1024];
5830            mBytes = 0;
5831        }
5832
5833        public IBackupAgent getAgent() {
5834            return mAgent;
5835        }
5836
5837        public byte[] getWidgetData() {
5838            return mWidgetData;
5839        }
5840
5841        public boolean restoreOneFile(InputStream instream, boolean mustKillAgent) {
5842            if (!isRunning()) {
5843                Slog.w(TAG, "Restore engine used after halting");
5844                return false;
5845            }
5846
5847            FileMetadata info;
5848            try {
5849                if (MORE_DEBUG) {
5850                    Slog.v(TAG, "Reading tar header for restoring file");
5851                }
5852                info = readTarHeaders(instream);
5853                if (info != null) {
5854                    if (MORE_DEBUG) {
5855                        dumpFileMetadata(info);
5856                    }
5857
5858                    final String pkg = info.packageName;
5859                    if (!pkg.equals(mAgentPackage)) {
5860                        // In the single-package case, it's a semantic error to expect
5861                        // one app's data but see a different app's on the wire
5862                        if (mOnlyPackage != null) {
5863                            if (!pkg.equals(mOnlyPackage.packageName)) {
5864                                Slog.w(TAG, "Expected data for " + mOnlyPackage
5865                                        + " but saw " + pkg);
5866                                setResult(RestoreEngine.TRANSPORT_FAILURE);
5867                                setRunning(false);
5868                                return false;
5869                            }
5870                        }
5871
5872                        // okay, change in package; set up our various
5873                        // bookkeeping if we haven't seen it yet
5874                        if (!mPackagePolicies.containsKey(pkg)) {
5875                            mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
5876                        }
5877
5878                        // Clean up the previous agent relationship if necessary,
5879                        // and let the observer know we're considering a new app.
5880                        if (mAgent != null) {
5881                            if (DEBUG) Slog.d(TAG, "Saw new package; finalizing old one");
5882                            // Now we're really done
5883                            tearDownPipes();
5884                            tearDownAgent(mTargetApp);
5885                            mTargetApp = null;
5886                            mAgentPackage = null;
5887                        }
5888                    }
5889
5890                    if (info.path.equals(BACKUP_MANIFEST_FILENAME)) {
5891                        mPackagePolicies.put(pkg, readAppManifest(info, instream));
5892                        mPackageInstallers.put(pkg, info.installerPackageName);
5893                        // We've read only the manifest content itself at this point,
5894                        // so consume the footer before looping around to the next
5895                        // input file
5896                        skipTarPadding(info.size, instream);
5897                        sendOnRestorePackage(pkg);
5898                    } else if (info.path.equals(BACKUP_METADATA_FILENAME)) {
5899                        // Metadata blobs!
5900                        readMetadata(info, instream);
5901                        skipTarPadding(info.size, instream);
5902                    } else {
5903                        // Non-manifest, so it's actual file data.  Is this a package
5904                        // we're ignoring?
5905                        boolean okay = true;
5906                        RestorePolicy policy = mPackagePolicies.get(pkg);
5907                        switch (policy) {
5908                            case IGNORE:
5909                                okay = false;
5910                                break;
5911
5912                            case ACCEPT_IF_APK:
5913                                // If we're in accept-if-apk state, then the first file we
5914                                // see MUST be the apk.
5915                                if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
5916                                    if (DEBUG) Slog.d(TAG, "APK file; installing");
5917                                    // Try to install the app.
5918                                    String installerName = mPackageInstallers.get(pkg);
5919                                    okay = installApk(info, installerName, instream);
5920                                    // good to go; promote to ACCEPT
5921                                    mPackagePolicies.put(pkg, (okay)
5922                                            ? RestorePolicy.ACCEPT
5923                                                    : RestorePolicy.IGNORE);
5924                                    // At this point we've consumed this file entry
5925                                    // ourselves, so just strip the tar footer and
5926                                    // go on to the next file in the input stream
5927                                    skipTarPadding(info.size, instream);
5928                                    return true;
5929                                } else {
5930                                    // File data before (or without) the apk.  We can't
5931                                    // handle it coherently in this case so ignore it.
5932                                    mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
5933                                    okay = false;
5934                                }
5935                                break;
5936
5937                            case ACCEPT:
5938                                if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
5939                                    if (DEBUG) Slog.d(TAG, "apk present but ACCEPT");
5940                                    // we can take the data without the apk, so we
5941                                    // *want* to do so.  skip the apk by declaring this
5942                                    // one file not-okay without changing the restore
5943                                    // policy for the package.
5944                                    okay = false;
5945                                }
5946                                break;
5947
5948                            default:
5949                                // Something has gone dreadfully wrong when determining
5950                                // the restore policy from the manifest.  Ignore the
5951                                // rest of this package's data.
5952                                Slog.e(TAG, "Invalid policy from manifest");
5953                                okay = false;
5954                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
5955                                break;
5956                        }
5957
5958                        // Is it a *file* we need to drop?
5959                        if (!isRestorableFile(info)) {
5960                            okay = false;
5961                        }
5962
5963                        // If the policy is satisfied, go ahead and set up to pipe the
5964                        // data to the agent.
5965                        if (MORE_DEBUG && okay && mAgent != null) {
5966                            Slog.i(TAG, "Reusing existing agent instance");
5967                        }
5968                        if (okay && mAgent == null) {
5969                            if (MORE_DEBUG) Slog.d(TAG, "Need to launch agent for " + pkg);
5970
5971                            try {
5972                                mTargetApp = mPackageManager.getApplicationInfo(pkg, 0);
5973
5974                                // If we haven't sent any data to this app yet, we probably
5975                                // need to clear it first.  Check that.
5976                                if (!mClearedPackages.contains(pkg)) {
5977                                    // apps with their own backup agents are
5978                                    // responsible for coherently managing a full
5979                                    // restore.
5980                                    if (mTargetApp.backupAgentName == null) {
5981                                        if (DEBUG) Slog.d(TAG, "Clearing app data preparatory to full restore");
5982                                        clearApplicationDataSynchronous(pkg);
5983                                    } else {
5984                                        if (MORE_DEBUG) Slog.d(TAG, "backup agent ("
5985                                                + mTargetApp.backupAgentName + ") => no clear");
5986                                    }
5987                                    mClearedPackages.add(pkg);
5988                                } else {
5989                                    if (MORE_DEBUG) {
5990                                        Slog.d(TAG, "We've initialized this app already; no clear required");
5991                                    }
5992                                }
5993
5994                                // All set; now set up the IPC and launch the agent
5995                                setUpPipes();
5996                                mAgent = bindToAgentSynchronous(mTargetApp,
5997                                        ApplicationThreadConstants.BACKUP_MODE_RESTORE_FULL);
5998                                mAgentPackage = pkg;
5999                            } catch (IOException e) {
6000                                // fall through to error handling
6001                            } catch (NameNotFoundException e) {
6002                                // fall through to error handling
6003                            }
6004
6005                            if (mAgent == null) {
6006                                Slog.e(TAG, "Unable to create agent for " + pkg);
6007                                okay = false;
6008                                tearDownPipes();
6009                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
6010                            }
6011                        }
6012
6013                        // Sanity check: make sure we never give data to the wrong app.  This
6014                        // should never happen but a little paranoia here won't go amiss.
6015                        if (okay && !pkg.equals(mAgentPackage)) {
6016                            Slog.e(TAG, "Restoring data for " + pkg
6017                                    + " but agent is for " + mAgentPackage);
6018                            okay = false;
6019                        }
6020
6021                        // At this point we have an agent ready to handle the full
6022                        // restore data as well as a pipe for sending data to
6023                        // that agent.  Tell the agent to start reading from the
6024                        // pipe.
6025                        if (okay) {
6026                            boolean agentSuccess = true;
6027                            long toCopy = info.size;
6028                            try {
6029                                prepareOperationTimeout(mEphemeralOpToken,
6030                                        TIMEOUT_FULL_BACKUP_INTERVAL, mMonitorTask,
6031                                        OP_TYPE_RESTORE_WAIT);
6032
6033                                if (info.domain.equals(FullBackup.OBB_TREE_TOKEN)) {
6034                                    if (DEBUG) Slog.d(TAG, "Restoring OBB file for " + pkg
6035                                            + " : " + info.path);
6036                                    mObbConnection.restoreObbFile(pkg, mPipes[0],
6037                                            info.size, info.type, info.path, info.mode,
6038                                            info.mtime, mEphemeralOpToken, mBackupManagerBinder);
6039                                } else {
6040                                    if (MORE_DEBUG) Slog.d(TAG, "Invoking agent to restore file "
6041                                            + info.path);
6042                                    // fire up the app's agent listening on the socket.  If
6043                                    // the agent is running in the system process we can't
6044                                    // just invoke it asynchronously, so we provide a thread
6045                                    // for it here.
6046                                    if (mTargetApp.processName.equals("system")) {
6047                                        Slog.d(TAG, "system process agent - spinning a thread");
6048                                        RestoreFileRunnable runner = new RestoreFileRunnable(
6049                                                mAgent, info, mPipes[0], mEphemeralOpToken);
6050                                        new Thread(runner, "restore-sys-runner").start();
6051                                    } else {
6052                                        mAgent.doRestoreFile(mPipes[0], info.size, info.type,
6053                                                info.domain, info.path, info.mode, info.mtime,
6054                                                mEphemeralOpToken, mBackupManagerBinder);
6055                                    }
6056                                }
6057                            } catch (IOException e) {
6058                                // couldn't dup the socket for a process-local restore
6059                                Slog.d(TAG, "Couldn't establish restore");
6060                                agentSuccess = false;
6061                                okay = false;
6062                            } catch (RemoteException e) {
6063                                // whoops, remote entity went away.  We'll eat the content
6064                                // ourselves, then, and not copy it over.
6065                                Slog.e(TAG, "Agent crashed during full restore");
6066                                agentSuccess = false;
6067                                okay = false;
6068                            }
6069
6070                            // Copy over the data if the agent is still good
6071                            if (okay) {
6072                                if (MORE_DEBUG) {
6073                                    Slog.v(TAG, "  copying to restore agent: "
6074                                            + toCopy + " bytes");
6075                                }
6076                                boolean pipeOkay = true;
6077                                FileOutputStream pipe = new FileOutputStream(
6078                                        mPipes[1].getFileDescriptor());
6079                                while (toCopy > 0) {
6080                                    int toRead = (toCopy > mBuffer.length)
6081                                            ? mBuffer.length : (int)toCopy;
6082                                    int nRead = instream.read(mBuffer, 0, toRead);
6083                                    if (nRead >= 0) mBytes += nRead;
6084                                    if (nRead <= 0) break;
6085                                    toCopy -= nRead;
6086
6087                                    // send it to the output pipe as long as things
6088                                    // are still good
6089                                    if (pipeOkay) {
6090                                        try {
6091                                            pipe.write(mBuffer, 0, nRead);
6092                                        } catch (IOException e) {
6093                                            Slog.e(TAG, "Failed to write to restore pipe: "
6094                                                    + e.getMessage());
6095                                            pipeOkay = false;
6096                                        }
6097                                    }
6098                                }
6099
6100                                // done sending that file!  Now we just need to consume
6101                                // the delta from info.size to the end of block.
6102                                skipTarPadding(info.size, instream);
6103
6104                                // and now that we've sent it all, wait for the remote
6105                                // side to acknowledge receipt
6106                                agentSuccess = waitUntilOperationComplete(mEphemeralOpToken);
6107                            }
6108
6109                            // okay, if the remote end failed at any point, deal with
6110                            // it by ignoring the rest of the restore on it
6111                            if (!agentSuccess) {
6112                                Slog.w(TAG, "Agent failure; ending restore");
6113                                mBackupHandler.removeMessages(MSG_RESTORE_OPERATION_TIMEOUT);
6114                                tearDownPipes();
6115                                tearDownAgent(mTargetApp);
6116                                mAgent = null;
6117                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
6118
6119                                // If this was a single-package restore, we halt immediately
6120                                // with an agent error under these circumstances
6121                                if (mOnlyPackage != null) {
6122                                    setResult(RestoreEngine.TARGET_FAILURE);
6123                                    setRunning(false);
6124                                    return false;
6125                                }
6126                            }
6127                        }
6128
6129                        // Problems setting up the agent communication, an explicitly
6130                        // dropped file, or an already-ignored package: skip to the
6131                        // next stream entry by reading and discarding this file.
6132                        if (!okay) {
6133                            if (MORE_DEBUG) Slog.d(TAG, "[discarding file content]");
6134                            long bytesToConsume = (info.size + 511) & ~511;
6135                            while (bytesToConsume > 0) {
6136                                int toRead = (bytesToConsume > mBuffer.length)
6137                                        ? mBuffer.length : (int)bytesToConsume;
6138                                long nRead = instream.read(mBuffer, 0, toRead);
6139                                if (nRead >= 0) mBytes += nRead;
6140                                if (nRead <= 0) break;
6141                                bytesToConsume -= nRead;
6142                            }
6143                        }
6144                    }
6145                }
6146            } catch (IOException e) {
6147                if (DEBUG) Slog.w(TAG, "io exception on restore socket read: " + e.getMessage());
6148                setResult(RestoreEngine.TRANSPORT_FAILURE);
6149                info = null;
6150            }
6151
6152            // If we got here we're either running smoothly or we've finished
6153            if (info == null) {
6154                if (MORE_DEBUG) {
6155                    Slog.i(TAG, "No [more] data for this package; tearing down");
6156                }
6157                tearDownPipes();
6158                setRunning(false);
6159                if (mustKillAgent) {
6160                    tearDownAgent(mTargetApp);
6161                }
6162            }
6163            return (info != null);
6164        }
6165
6166        void setUpPipes() throws IOException {
6167            mPipes = ParcelFileDescriptor.createPipe();
6168        }
6169
6170        void tearDownPipes() {
6171            // Teardown might arise from the inline restore processing or from the asynchronous
6172            // timeout mechanism, and these might race.  Make sure we don't try to close and
6173            // null out the pipes twice.
6174            synchronized (this) {
6175                if (mPipes != null) {
6176                    try {
6177                        mPipes[0].close();
6178                        mPipes[0] = null;
6179                        mPipes[1].close();
6180                        mPipes[1] = null;
6181                    } catch (IOException e) {
6182                        Slog.w(TAG, "Couldn't close agent pipes", e);
6183                    }
6184                    mPipes = null;
6185                }
6186            }
6187        }
6188
6189        void tearDownAgent(ApplicationInfo app) {
6190            if (mAgent != null) {
6191                tearDownAgentAndKill(app);
6192                mAgent = null;
6193            }
6194        }
6195
6196        void handleTimeout() {
6197            tearDownPipes();
6198            setResult(RestoreEngine.TARGET_FAILURE);
6199            setRunning(false);
6200        }
6201
6202        class RestoreInstallObserver extends PackageInstallObserver {
6203            final AtomicBoolean mDone = new AtomicBoolean();
6204            String mPackageName;
6205            int mResult;
6206
6207            public void reset() {
6208                synchronized (mDone) {
6209                    mDone.set(false);
6210                }
6211            }
6212
6213            public void waitForCompletion() {
6214                synchronized (mDone) {
6215                    while (mDone.get() == false) {
6216                        try {
6217                            mDone.wait();
6218                        } catch (InterruptedException e) { }
6219                    }
6220                }
6221            }
6222
6223            int getResult() {
6224                return mResult;
6225            }
6226
6227            @Override
6228            public void onPackageInstalled(String packageName, int returnCode,
6229                    String msg, Bundle extras) {
6230                synchronized (mDone) {
6231                    mResult = returnCode;
6232                    mPackageName = packageName;
6233                    mDone.set(true);
6234                    mDone.notifyAll();
6235                }
6236            }
6237        }
6238
6239        class RestoreDeleteObserver extends IPackageDeleteObserver.Stub {
6240            final AtomicBoolean mDone = new AtomicBoolean();
6241            int mResult;
6242
6243            public void reset() {
6244                synchronized (mDone) {
6245                    mDone.set(false);
6246                }
6247            }
6248
6249            public void waitForCompletion() {
6250                synchronized (mDone) {
6251                    while (mDone.get() == false) {
6252                        try {
6253                            mDone.wait();
6254                        } catch (InterruptedException e) { }
6255                    }
6256                }
6257            }
6258
6259            @Override
6260            public void packageDeleted(String packageName, int returnCode) throws RemoteException {
6261                synchronized (mDone) {
6262                    mResult = returnCode;
6263                    mDone.set(true);
6264                    mDone.notifyAll();
6265                }
6266            }
6267        }
6268
6269        final RestoreInstallObserver mInstallObserver = new RestoreInstallObserver();
6270        final RestoreDeleteObserver mDeleteObserver = new RestoreDeleteObserver();
6271
6272        boolean installApk(FileMetadata info, String installerPackage, InputStream instream) {
6273            boolean okay = true;
6274
6275            if (DEBUG) Slog.d(TAG, "Installing from backup: " + info.packageName);
6276
6277            // The file content is an .apk file.  Copy it out to a staging location and
6278            // attempt to install it.
6279            File apkFile = new File(mDataDir, info.packageName);
6280            try {
6281                FileOutputStream apkStream = new FileOutputStream(apkFile);
6282                byte[] buffer = new byte[32 * 1024];
6283                long size = info.size;
6284                while (size > 0) {
6285                    long toRead = (buffer.length < size) ? buffer.length : size;
6286                    int didRead = instream.read(buffer, 0, (int)toRead);
6287                    if (didRead >= 0) mBytes += didRead;
6288                    apkStream.write(buffer, 0, didRead);
6289                    size -= didRead;
6290                }
6291                apkStream.close();
6292
6293                // make sure the installer can read it
6294                apkFile.setReadable(true, false);
6295
6296                // Now install it
6297                Uri packageUri = Uri.fromFile(apkFile);
6298                mInstallObserver.reset();
6299                mPackageManager.installPackage(packageUri, mInstallObserver,
6300                        PackageManager.INSTALL_REPLACE_EXISTING | PackageManager.INSTALL_FROM_ADB,
6301                        installerPackage);
6302                mInstallObserver.waitForCompletion();
6303
6304                if (mInstallObserver.getResult() != PackageManager.INSTALL_SUCCEEDED) {
6305                    // The only time we continue to accept install of data even if the
6306                    // apk install failed is if we had already determined that we could
6307                    // accept the data regardless.
6308                    if (mPackagePolicies.get(info.packageName) != RestorePolicy.ACCEPT) {
6309                        okay = false;
6310                    }
6311                } else {
6312                    // Okay, the install succeeded.  Make sure it was the right app.
6313                    boolean uninstall = false;
6314                    if (!mInstallObserver.mPackageName.equals(info.packageName)) {
6315                        Slog.w(TAG, "Restore stream claimed to include apk for "
6316                                + info.packageName + " but apk was really "
6317                                + mInstallObserver.mPackageName);
6318                        // delete the package we just put in place; it might be fraudulent
6319                        okay = false;
6320                        uninstall = true;
6321                    } else {
6322                        try {
6323                            PackageInfo pkg = mPackageManager.getPackageInfo(info.packageName,
6324                                    PackageManager.GET_SIGNATURES);
6325                            if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_BACKUP) == 0) {
6326                                Slog.w(TAG, "Restore stream contains apk of package "
6327                                        + info.packageName + " but it disallows backup/restore");
6328                                okay = false;
6329                            } else {
6330                                // So far so good -- do the signatures match the manifest?
6331                                Signature[] sigs = mManifestSignatures.get(info.packageName);
6332                                if (signaturesMatch(sigs, pkg)) {
6333                                    // If this is a system-uid app without a declared backup agent,
6334                                    // don't restore any of the file data.
6335                                    if ((pkg.applicationInfo.uid < Process.FIRST_APPLICATION_UID)
6336                                            && (pkg.applicationInfo.backupAgentName == null)) {
6337                                        Slog.w(TAG, "Installed app " + info.packageName
6338                                                + " has restricted uid and no agent");
6339                                        okay = false;
6340                                    }
6341                                } else {
6342                                    Slog.w(TAG, "Installed app " + info.packageName
6343                                            + " signatures do not match restore manifest");
6344                                    okay = false;
6345                                    uninstall = true;
6346                                }
6347                            }
6348                        } catch (NameNotFoundException e) {
6349                            Slog.w(TAG, "Install of package " + info.packageName
6350                                    + " succeeded but now not found");
6351                            okay = false;
6352                        }
6353                    }
6354
6355                    // If we're not okay at this point, we need to delete the package
6356                    // that we just installed.
6357                    if (uninstall) {
6358                        mDeleteObserver.reset();
6359                        mPackageManager.deletePackage(mInstallObserver.mPackageName,
6360                                mDeleteObserver, 0);
6361                        mDeleteObserver.waitForCompletion();
6362                    }
6363                }
6364            } catch (IOException e) {
6365                Slog.e(TAG, "Unable to transcribe restored apk for install");
6366                okay = false;
6367            } finally {
6368                apkFile.delete();
6369            }
6370
6371            return okay;
6372        }
6373
6374        // Given an actual file content size, consume the post-content padding mandated
6375        // by the tar format.
6376        void skipTarPadding(long size, InputStream instream) throws IOException {
6377            long partial = (size + 512) % 512;
6378            if (partial > 0) {
6379                final int needed = 512 - (int)partial;
6380                if (MORE_DEBUG) {
6381                    Slog.i(TAG, "Skipping tar padding: " + needed + " bytes");
6382                }
6383                byte[] buffer = new byte[needed];
6384                if (readExactly(instream, buffer, 0, needed) == needed) {
6385                    mBytes += needed;
6386                } else throw new IOException("Unexpected EOF in padding");
6387            }
6388        }
6389
6390        // Read a widget metadata file, returning the restored blob
6391        void readMetadata(FileMetadata info, InputStream instream) throws IOException {
6392            // Fail on suspiciously large widget dump files
6393            if (info.size > 64 * 1024) {
6394                throw new IOException("Metadata too big; corrupt? size=" + info.size);
6395            }
6396
6397            byte[] buffer = new byte[(int) info.size];
6398            if (readExactly(instream, buffer, 0, (int)info.size) == info.size) {
6399                mBytes += info.size;
6400            } else throw new IOException("Unexpected EOF in widget data");
6401
6402            String[] str = new String[1];
6403            int offset = extractLine(buffer, 0, str);
6404            int version = Integer.parseInt(str[0]);
6405            if (version == BACKUP_MANIFEST_VERSION) {
6406                offset = extractLine(buffer, offset, str);
6407                final String pkg = str[0];
6408                if (info.packageName.equals(pkg)) {
6409                    // Data checks out -- the rest of the buffer is a concatenation of
6410                    // binary blobs as described in the comment at writeAppWidgetData()
6411                    ByteArrayInputStream bin = new ByteArrayInputStream(buffer,
6412                            offset, buffer.length - offset);
6413                    DataInputStream in = new DataInputStream(bin);
6414                    while (bin.available() > 0) {
6415                        int token = in.readInt();
6416                        int size = in.readInt();
6417                        if (size > 64 * 1024) {
6418                            throw new IOException("Datum "
6419                                    + Integer.toHexString(token)
6420                                    + " too big; corrupt? size=" + info.size);
6421                        }
6422                        switch (token) {
6423                            case BACKUP_WIDGET_METADATA_TOKEN:
6424                            {
6425                                if (MORE_DEBUG) {
6426                                    Slog.i(TAG, "Got widget metadata for " + info.packageName);
6427                                }
6428                                mWidgetData = new byte[size];
6429                                in.read(mWidgetData);
6430                                break;
6431                            }
6432                            default:
6433                            {
6434                                if (DEBUG) {
6435                                    Slog.i(TAG, "Ignoring metadata blob "
6436                                            + Integer.toHexString(token)
6437                                            + " for " + info.packageName);
6438                                }
6439                                in.skipBytes(size);
6440                                break;
6441                            }
6442                        }
6443                    }
6444                } else {
6445                    Slog.w(TAG, "Metadata mismatch: package " + info.packageName
6446                            + " but widget data for " + pkg);
6447
6448                    Bundle monitoringExtras = putMonitoringExtra(null,
6449                            EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName);
6450                    monitoringExtras = putMonitoringExtra(monitoringExtras,
6451                            BackupManagerMonitor.EXTRA_LOG_WIDGET_PACKAGE_NAME, pkg);
6452                    mMonitor = monitorEvent(mMonitor,
6453                            BackupManagerMonitor.LOG_EVENT_ID_WIDGET_METADATA_MISMATCH,
6454                            null,
6455                            LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6456                            monitoringExtras);
6457                }
6458            } else {
6459                Slog.w(TAG, "Unsupported metadata version " + version);
6460
6461                Bundle monitoringExtras = putMonitoringExtra(null, EXTRA_LOG_EVENT_PACKAGE_NAME,
6462                        info.packageName);
6463                monitoringExtras = putMonitoringExtra(monitoringExtras,
6464                        EXTRA_LOG_EVENT_PACKAGE_VERSION, version);
6465                mMonitor = monitorEvent(mMonitor,
6466                        BackupManagerMonitor.LOG_EVENT_ID_WIDGET_UNKNOWN_VERSION,
6467                        null,
6468                        LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6469                        monitoringExtras);
6470            }
6471        }
6472
6473        // Returns a policy constant
6474        RestorePolicy readAppManifest(FileMetadata info, InputStream instream)
6475                throws IOException {
6476            // Fail on suspiciously large manifest files
6477            if (info.size > 64 * 1024) {
6478                throw new IOException("Restore manifest too big; corrupt? size=" + info.size);
6479            }
6480
6481            byte[] buffer = new byte[(int) info.size];
6482            if (MORE_DEBUG) {
6483                Slog.i(TAG, "   readAppManifest() looking for " + info.size + " bytes, "
6484                        + mBytes + " already consumed");
6485            }
6486            if (readExactly(instream, buffer, 0, (int)info.size) == info.size) {
6487                mBytes += info.size;
6488            } else throw new IOException("Unexpected EOF in manifest");
6489
6490            RestorePolicy policy = RestorePolicy.IGNORE;
6491            String[] str = new String[1];
6492            int offset = 0;
6493
6494            try {
6495                offset = extractLine(buffer, offset, str);
6496                int version = Integer.parseInt(str[0]);
6497                if (version == BACKUP_MANIFEST_VERSION) {
6498                    offset = extractLine(buffer, offset, str);
6499                    String manifestPackage = str[0];
6500                    // TODO: handle <original-package>
6501                    if (manifestPackage.equals(info.packageName)) {
6502                        offset = extractLine(buffer, offset, str);
6503                        version = Integer.parseInt(str[0]);  // app version
6504                        offset = extractLine(buffer, offset, str);
6505                        // This is the platform version, which we don't use, but we parse it
6506                        // as a safety against corruption in the manifest.
6507                        Integer.parseInt(str[0]);
6508                        offset = extractLine(buffer, offset, str);
6509                        info.installerPackageName = (str[0].length() > 0) ? str[0] : null;
6510                        offset = extractLine(buffer, offset, str);
6511                        boolean hasApk = str[0].equals("1");
6512                        offset = extractLine(buffer, offset, str);
6513                        int numSigs = Integer.parseInt(str[0]);
6514                        if (numSigs > 0) {
6515                            Signature[] sigs = new Signature[numSigs];
6516                            for (int i = 0; i < numSigs; i++) {
6517                                offset = extractLine(buffer, offset, str);
6518                                sigs[i] = new Signature(str[0]);
6519                            }
6520                            mManifestSignatures.put(info.packageName, sigs);
6521
6522                            // Okay, got the manifest info we need...
6523                            try {
6524                                PackageInfo pkgInfo = mPackageManager.getPackageInfo(
6525                                        info.packageName, PackageManager.GET_SIGNATURES);
6526                                // Fall through to IGNORE if the app explicitly disallows backup
6527                                final int flags = pkgInfo.applicationInfo.flags;
6528                                if ((flags & ApplicationInfo.FLAG_ALLOW_BACKUP) != 0) {
6529                                    // Restore system-uid-space packages only if they have
6530                                    // defined a custom backup agent
6531                                    if ((pkgInfo.applicationInfo.uid >= Process.FIRST_APPLICATION_UID)
6532                                            || (pkgInfo.applicationInfo.backupAgentName != null)) {
6533                                        // Verify signatures against any installed version; if they
6534                                        // don't match, then we fall though and ignore the data.  The
6535                                        // signatureMatch() method explicitly ignores the signature
6536                                        // check for packages installed on the system partition, because
6537                                        // such packages are signed with the platform cert instead of
6538                                        // the app developer's cert, so they're different on every
6539                                        // device.
6540                                        if (signaturesMatch(sigs, pkgInfo)) {
6541                                            if ((pkgInfo.applicationInfo.flags
6542                                                    & ApplicationInfo.FLAG_RESTORE_ANY_VERSION) != 0) {
6543                                                Slog.i(TAG, "Package has restoreAnyVersion; taking data");
6544                                                mMonitor = monitorEvent(mMonitor,
6545                                                        LOG_EVENT_ID_RESTORE_ANY_VERSION,
6546                                                        pkgInfo,
6547                                                        LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6548                                                        null);
6549                                                policy = RestorePolicy.ACCEPT;
6550                                            } else if (pkgInfo.versionCode >= version) {
6551                                                Slog.i(TAG, "Sig + version match; taking data");
6552                                                policy = RestorePolicy.ACCEPT;
6553                                                mMonitor = monitorEvent(mMonitor,
6554                                                        LOG_EVENT_ID_VERSIONS_MATCH,
6555                                                        pkgInfo,
6556                                                        LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6557                                                        null);
6558                                            } else {
6559                                                // The data is from a newer version of the app than
6560                                                // is presently installed.  That means we can only
6561                                                // use it if the matching apk is also supplied.
6562                                                if (mAllowApks) {
6563                                                    Slog.i(TAG, "Data version " + version
6564                                                            + " is newer than installed version "
6565                                                            + pkgInfo.versionCode
6566                                                            + " - requiring apk");
6567                                                    policy = RestorePolicy.ACCEPT_IF_APK;
6568                                                } else {
6569                                                    Slog.i(TAG, "Data requires newer version "
6570                                                            + version + "; ignoring");
6571                                                    mMonitor = monitorEvent(mMonitor,
6572                                                            LOG_EVENT_ID_VERSION_OF_BACKUP_OLDER,
6573                                                            pkgInfo,
6574                                                            LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6575                                                            putMonitoringExtra(null,
6576                                                                    EXTRA_LOG_OLD_VERSION,
6577                                                                    version));
6578
6579                                                    policy = RestorePolicy.IGNORE;
6580                                                }
6581                                            }
6582                                        } else {
6583                                            Slog.w(TAG, "Restore manifest signatures do not match "
6584                                                    + "installed application for " + info.packageName);
6585                                            mMonitor = monitorEvent(mMonitor,
6586                                                    LOG_EVENT_ID_FULL_RESTORE_SIGNATURE_MISMATCH,
6587                                                    pkgInfo,
6588                                                    LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6589                                                    null);
6590                                        }
6591                                    } else {
6592                                        Slog.w(TAG, "Package " + info.packageName
6593                                                + " is system level with no agent");
6594                                        mMonitor = monitorEvent(mMonitor,
6595                                                LOG_EVENT_ID_SYSTEM_APP_NO_AGENT,
6596                                                pkgInfo,
6597                                                LOG_EVENT_CATEGORY_AGENT,
6598                                                null);
6599                                    }
6600                                } else {
6601                                    if (DEBUG) Slog.i(TAG, "Restore manifest from "
6602                                            + info.packageName + " but allowBackup=false");
6603                                    mMonitor = monitorEvent(mMonitor,
6604                                            LOG_EVENT_ID_FULL_RESTORE_ALLOW_BACKUP_FALSE,
6605                                            pkgInfo,
6606                                            LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6607                                            null);
6608                                }
6609                            } catch (NameNotFoundException e) {
6610                                // Okay, the target app isn't installed.  We can process
6611                                // the restore properly only if the dataset provides the
6612                                // apk file and we can successfully install it.
6613                                if (mAllowApks) {
6614                                    if (DEBUG) Slog.i(TAG, "Package " + info.packageName
6615                                            + " not installed; requiring apk in dataset");
6616                                    policy = RestorePolicy.ACCEPT_IF_APK;
6617                                } else {
6618                                    policy = RestorePolicy.IGNORE;
6619                                }
6620                                Bundle monitoringExtras = putMonitoringExtra(null,
6621                                        EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName);
6622                                monitoringExtras = putMonitoringExtra(monitoringExtras,
6623                                        EXTRA_LOG_POLICY_ALLOW_APKS, mAllowApks);
6624                                mMonitor = monitorEvent(mMonitor,
6625                                        LOG_EVENT_ID_APK_NOT_INSTALLED,
6626                                        null,
6627                                        LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6628                                        monitoringExtras);
6629                            }
6630
6631                            if (policy == RestorePolicy.ACCEPT_IF_APK && !hasApk) {
6632                                Slog.i(TAG, "Cannot restore package " + info.packageName
6633                                        + " without the matching .apk");
6634                                mMonitor = monitorEvent(mMonitor,
6635                                        LOG_EVENT_ID_CANNOT_RESTORE_WITHOUT_APK,
6636                                        null,
6637                                        LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6638                                        putMonitoringExtra(null,
6639                                                EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName));
6640                            }
6641                        } else {
6642                            Slog.i(TAG, "Missing signature on backed-up package "
6643                                    + info.packageName);
6644                            mMonitor = monitorEvent(mMonitor,
6645                                    LOG_EVENT_ID_MISSING_SIGNATURE,
6646                                    null,
6647                                    LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6648                                    putMonitoringExtra(null,
6649                                            EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName));
6650                        }
6651                    } else {
6652                        Slog.i(TAG, "Expected package " + info.packageName
6653                                + " but restore manifest claims " + manifestPackage);
6654                        Bundle monitoringExtras = putMonitoringExtra(null,
6655                                EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName);
6656                        monitoringExtras = putMonitoringExtra(monitoringExtras,
6657                                EXTRA_LOG_MANIFEST_PACKAGE_NAME, manifestPackage);
6658                        mMonitor = monitorEvent(mMonitor,
6659                                LOG_EVENT_ID_EXPECTED_DIFFERENT_PACKAGE,
6660                                null,
6661                                LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6662                                monitoringExtras);
6663                    }
6664                } else {
6665                    Slog.i(TAG, "Unknown restore manifest version " + version
6666                            + " for package " + info.packageName);
6667                    Bundle monitoringExtras = putMonitoringExtra(null,
6668                            EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName);
6669                    monitoringExtras = putMonitoringExtra(monitoringExtras,
6670                            EXTRA_LOG_EVENT_PACKAGE_VERSION, version);
6671                    mMonitor = monitorEvent(mMonitor,
6672                            BackupManagerMonitor.LOG_EVENT_ID_UNKNOWN_VERSION,
6673                            null,
6674                            LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6675                            monitoringExtras);
6676
6677                }
6678            } catch (NumberFormatException e) {
6679                Slog.w(TAG, "Corrupt restore manifest for package " + info.packageName);
6680                mMonitor = monitorEvent(mMonitor,
6681                        BackupManagerMonitor.LOG_EVENT_ID_CORRUPT_MANIFEST,
6682                        null,
6683                        LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
6684                        putMonitoringExtra(null, EXTRA_LOG_EVENT_PACKAGE_NAME, info.packageName));
6685            } catch (IllegalArgumentException e) {
6686                Slog.w(TAG, e.getMessage());
6687            }
6688
6689            return policy;
6690        }
6691
6692        // Builds a line from a byte buffer starting at 'offset', and returns
6693        // the index of the next unconsumed data in the buffer.
6694        int extractLine(byte[] buffer, int offset, String[] outStr) throws IOException {
6695            final int end = buffer.length;
6696            if (offset >= end) throw new IOException("Incomplete data");
6697
6698            int pos;
6699            for (pos = offset; pos < end; pos++) {
6700                byte c = buffer[pos];
6701                // at LF we declare end of line, and return the next char as the
6702                // starting point for the next time through
6703                if (c == '\n') {
6704                    break;
6705                }
6706            }
6707            outStr[0] = new String(buffer, offset, pos - offset);
6708            pos++;  // may be pointing an extra byte past the end but that's okay
6709            return pos;
6710        }
6711
6712        void dumpFileMetadata(FileMetadata info) {
6713            if (MORE_DEBUG) {
6714                StringBuilder b = new StringBuilder(128);
6715
6716                // mode string
6717                b.append((info.type == BackupAgent.TYPE_DIRECTORY) ? 'd' : '-');
6718                b.append(((info.mode & 0400) != 0) ? 'r' : '-');
6719                b.append(((info.mode & 0200) != 0) ? 'w' : '-');
6720                b.append(((info.mode & 0100) != 0) ? 'x' : '-');
6721                b.append(((info.mode & 0040) != 0) ? 'r' : '-');
6722                b.append(((info.mode & 0020) != 0) ? 'w' : '-');
6723                b.append(((info.mode & 0010) != 0) ? 'x' : '-');
6724                b.append(((info.mode & 0004) != 0) ? 'r' : '-');
6725                b.append(((info.mode & 0002) != 0) ? 'w' : '-');
6726                b.append(((info.mode & 0001) != 0) ? 'x' : '-');
6727                b.append(String.format(" %9d ", info.size));
6728
6729                Date stamp = new Date(info.mtime);
6730                b.append(new SimpleDateFormat("MMM dd HH:mm:ss ").format(stamp));
6731
6732                b.append(info.packageName);
6733                b.append(" :: ");
6734                b.append(info.domain);
6735                b.append(" :: ");
6736                b.append(info.path);
6737
6738                Slog.i(TAG, b.toString());
6739            }
6740        }
6741
6742        // Consume a tar file header block [sequence] and accumulate the relevant metadata
6743        FileMetadata readTarHeaders(InputStream instream) throws IOException {
6744            byte[] block = new byte[512];
6745            FileMetadata info = null;
6746
6747            boolean gotHeader = readTarHeader(instream, block);
6748            if (gotHeader) {
6749                try {
6750                    // okay, presume we're okay, and extract the various metadata
6751                    info = new FileMetadata();
6752                    info.size = extractRadix(block, TAR_HEADER_OFFSET_FILESIZE,
6753                            TAR_HEADER_LENGTH_FILESIZE, TAR_HEADER_LONG_RADIX);
6754                    info.mtime = extractRadix(block, TAR_HEADER_OFFSET_MODTIME,
6755                            TAR_HEADER_LENGTH_MODTIME, TAR_HEADER_LONG_RADIX);
6756                    info.mode = extractRadix(block, TAR_HEADER_OFFSET_MODE,
6757                            TAR_HEADER_LENGTH_MODE, TAR_HEADER_LONG_RADIX);
6758
6759                    info.path = extractString(block, TAR_HEADER_OFFSET_PATH_PREFIX,
6760                            TAR_HEADER_LENGTH_PATH_PREFIX);
6761                    String path = extractString(block, TAR_HEADER_OFFSET_PATH,
6762                            TAR_HEADER_LENGTH_PATH);
6763                    if (path.length() > 0) {
6764                        if (info.path.length() > 0) info.path += '/';
6765                        info.path += path;
6766                    }
6767
6768                    // tar link indicator field: 1 byte at offset 156 in the header.
6769                    int typeChar = block[TAR_HEADER_OFFSET_TYPE_CHAR];
6770                    if (typeChar == 'x') {
6771                        // pax extended header, so we need to read that
6772                        gotHeader = readPaxExtendedHeader(instream, info);
6773                        if (gotHeader) {
6774                            // and after a pax extended header comes another real header -- read
6775                            // that to find the real file type
6776                            gotHeader = readTarHeader(instream, block);
6777                        }
6778                        if (!gotHeader) throw new IOException("Bad or missing pax header");
6779
6780                        typeChar = block[TAR_HEADER_OFFSET_TYPE_CHAR];
6781                    }
6782
6783                    switch (typeChar) {
6784                        case '0': info.type = BackupAgent.TYPE_FILE; break;
6785                        case '5': {
6786                            info.type = BackupAgent.TYPE_DIRECTORY;
6787                            if (info.size != 0) {
6788                                Slog.w(TAG, "Directory entry with nonzero size in header");
6789                                info.size = 0;
6790                            }
6791                            break;
6792                        }
6793                        case 0: {
6794                            // presume EOF
6795                            if (MORE_DEBUG) Slog.w(TAG, "Saw type=0 in tar header block, info=" + info);
6796                            return null;
6797                        }
6798                        default: {
6799                            Slog.e(TAG, "Unknown tar entity type: " + typeChar);
6800                            throw new IOException("Unknown entity type " + typeChar);
6801                        }
6802                    }
6803
6804                    // Parse out the path
6805                    //
6806                    // first: apps/shared/unrecognized
6807                    if (FullBackup.SHARED_PREFIX.regionMatches(0,
6808                            info.path, 0, FullBackup.SHARED_PREFIX.length())) {
6809                        // File in shared storage.  !!! TODO: implement this.
6810                        info.path = info.path.substring(FullBackup.SHARED_PREFIX.length());
6811                        info.packageName = SHARED_BACKUP_AGENT_PACKAGE;
6812                        info.domain = FullBackup.SHARED_STORAGE_TOKEN;
6813                        if (DEBUG) Slog.i(TAG, "File in shared storage: " + info.path);
6814                    } else if (FullBackup.APPS_PREFIX.regionMatches(0,
6815                            info.path, 0, FullBackup.APPS_PREFIX.length())) {
6816                        // App content!  Parse out the package name and domain
6817
6818                        // strip the apps/ prefix
6819                        info.path = info.path.substring(FullBackup.APPS_PREFIX.length());
6820
6821                        // extract the package name
6822                        int slash = info.path.indexOf('/');
6823                        if (slash < 0) throw new IOException("Illegal semantic path in " + info.path);
6824                        info.packageName = info.path.substring(0, slash);
6825                        info.path = info.path.substring(slash+1);
6826
6827                        // if it's a manifest or metadata payload we're done, otherwise parse
6828                        // out the domain into which the file will be restored
6829                        if (!info.path.equals(BACKUP_MANIFEST_FILENAME)
6830                                && !info.path.equals(BACKUP_METADATA_FILENAME)) {
6831                            slash = info.path.indexOf('/');
6832                            if (slash < 0) {
6833                                throw new IOException("Illegal semantic path in non-manifest "
6834                                        + info.path);
6835                            }
6836                            info.domain = info.path.substring(0, slash);
6837                            info.path = info.path.substring(slash + 1);
6838                        }
6839                    }
6840                } catch (IOException e) {
6841                    if (DEBUG) {
6842                        Slog.e(TAG, "Parse error in header: " + e.getMessage());
6843                        if (MORE_DEBUG) {
6844                            HEXLOG(block);
6845                        }
6846                    }
6847                    throw e;
6848                }
6849            }
6850            return info;
6851        }
6852
6853        private boolean isRestorableFile(FileMetadata info) {
6854            if (FullBackup.CACHE_TREE_TOKEN.equals(info.domain)) {
6855                if (MORE_DEBUG) {
6856                    Slog.i(TAG, "Dropping cache file path " + info.path);
6857                }
6858                return false;
6859            }
6860
6861            if (FullBackup.ROOT_TREE_TOKEN.equals(info.domain)) {
6862                // It's possible this is "no-backup" dir contents in an archive stream
6863                // produced on a device running a version of the OS that predates that
6864                // API.  Respect the no-backup intention and don't let the data get to
6865                // the app.
6866                if (info.path.startsWith("no_backup/")) {
6867                    if (MORE_DEBUG) {
6868                        Slog.i(TAG, "Dropping no_backup file path " + info.path);
6869                    }
6870                    return false;
6871                }
6872            }
6873
6874            // The path needs to be canonical
6875            if (info.path.contains("..") || info.path.contains("//")) {
6876                if (MORE_DEBUG) {
6877                    Slog.w(TAG, "Dropping invalid path " + info.path);
6878                }
6879                return false;
6880            }
6881
6882            // Otherwise we think this file is good to go
6883            return true;
6884        }
6885
6886        private void HEXLOG(byte[] block) {
6887            int offset = 0;
6888            int todo = block.length;
6889            StringBuilder buf = new StringBuilder(64);
6890            while (todo > 0) {
6891                buf.append(String.format("%04x   ", offset));
6892                int numThisLine = (todo > 16) ? 16 : todo;
6893                for (int i = 0; i < numThisLine; i++) {
6894                    buf.append(String.format("%02x ", block[offset+i]));
6895                }
6896                Slog.i("hexdump", buf.toString());
6897                buf.setLength(0);
6898                todo -= numThisLine;
6899                offset += numThisLine;
6900            }
6901        }
6902
6903        // Read exactly the given number of bytes into a buffer at the stated offset.
6904        // Returns false if EOF is encountered before the requested number of bytes
6905        // could be read.
6906        int readExactly(InputStream in, byte[] buffer, int offset, int size)
6907                throws IOException {
6908            if (size <= 0) throw new IllegalArgumentException("size must be > 0");
6909if (MORE_DEBUG) Slog.i(TAG, "  ... readExactly(" + size + ") called");
6910            int soFar = 0;
6911            while (soFar < size) {
6912                int nRead = in.read(buffer, offset + soFar, size - soFar);
6913                if (nRead <= 0) {
6914                    if (MORE_DEBUG) Slog.w(TAG, "- wanted exactly " + size + " but got only " + soFar);
6915                    break;
6916                }
6917                soFar += nRead;
6918if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soFar));
6919            }
6920            return soFar;
6921        }
6922
6923        boolean readTarHeader(InputStream instream, byte[] block) throws IOException {
6924            final int got = readExactly(instream, block, 0, 512);
6925            if (got == 0) return false;     // Clean EOF
6926            if (got < 512) throw new IOException("Unable to read full block header");
6927            mBytes += 512;
6928            return true;
6929        }
6930
6931        // overwrites 'info' fields based on the pax extended header
6932        boolean readPaxExtendedHeader(InputStream instream, FileMetadata info)
6933                throws IOException {
6934            // We should never see a pax extended header larger than this
6935            if (info.size > 32*1024) {
6936                Slog.w(TAG, "Suspiciously large pax header size " + info.size
6937                        + " - aborting");
6938                throw new IOException("Sanity failure: pax header size " + info.size);
6939            }
6940
6941            // read whole blocks, not just the content size
6942            int numBlocks = (int)((info.size + 511) >> 9);
6943            byte[] data = new byte[numBlocks * 512];
6944            if (readExactly(instream, data, 0, data.length) < data.length) {
6945                throw new IOException("Unable to read full pax header");
6946            }
6947            mBytes += data.length;
6948
6949            final int contentSize = (int) info.size;
6950            int offset = 0;
6951            do {
6952                // extract the line at 'offset'
6953                int eol = offset+1;
6954                while (eol < contentSize && data[eol] != ' ') eol++;
6955                if (eol >= contentSize) {
6956                    // error: we just hit EOD looking for the end of the size field
6957                    throw new IOException("Invalid pax data");
6958                }
6959                // eol points to the space between the count and the key
6960                int linelen = (int) extractRadix(data, offset, eol - offset, 10);
6961                int key = eol + 1;  // start of key=value
6962                eol = offset + linelen - 1; // trailing LF
6963                int value;
6964                for (value = key+1; data[value] != '=' && value <= eol; value++);
6965                if (value > eol) {
6966                    throw new IOException("Invalid pax declaration");
6967                }
6968
6969                // pax requires that key/value strings be in UTF-8
6970                String keyStr = new String(data, key, value-key, "UTF-8");
6971                // -1 to strip the trailing LF
6972                String valStr = new String(data, value+1, eol-value-1, "UTF-8");
6973
6974                if ("path".equals(keyStr)) {
6975                    info.path = valStr;
6976                } else if ("size".equals(keyStr)) {
6977                    info.size = Long.parseLong(valStr);
6978                } else {
6979                    if (DEBUG) Slog.i(TAG, "Unhandled pax key: " + key);
6980                }
6981
6982                offset += linelen;
6983            } while (offset < contentSize);
6984
6985            return true;
6986        }
6987
6988        long extractRadix(byte[] data, int offset, int maxChars, int radix)
6989                throws IOException {
6990            long value = 0;
6991            final int end = offset + maxChars;
6992            for (int i = offset; i < end; i++) {
6993                final byte b = data[i];
6994                // Numeric fields in tar can terminate with either NUL or SPC
6995                if (b == 0 || b == ' ') break;
6996                if (b < '0' || b > ('0' + radix - 1)) {
6997                    throw new IOException("Invalid number in header: '" + (char)b
6998                            + "' for radix " + radix);
6999                }
7000                value = radix * value + (b - '0');
7001            }
7002            return value;
7003        }
7004
7005        String extractString(byte[] data, int offset, int maxChars) throws IOException {
7006            final int end = offset + maxChars;
7007            int eos = offset;
7008            // tar string fields terminate early with a NUL
7009            while (eos < end && data[eos] != 0) eos++;
7010            return new String(data, offset, eos-offset, "US-ASCII");
7011        }
7012
7013        void sendStartRestore() {
7014            if (mObserver != null) {
7015                try {
7016                    mObserver.onStartRestore();
7017                } catch (RemoteException e) {
7018                    Slog.w(TAG, "full restore observer went away: startRestore");
7019                    mObserver = null;
7020                }
7021            }
7022        }
7023
7024        void sendOnRestorePackage(String name) {
7025            if (mObserver != null) {
7026                try {
7027                    // TODO: use a more user-friendly name string
7028                    mObserver.onRestorePackage(name);
7029                } catch (RemoteException e) {
7030                    Slog.w(TAG, "full restore observer went away: restorePackage");
7031                    mObserver = null;
7032                }
7033            }
7034        }
7035
7036        void sendEndRestore() {
7037            if (mObserver != null) {
7038                try {
7039                    mObserver.onEndRestore();
7040                } catch (RemoteException e) {
7041                    Slog.w(TAG, "full restore observer went away: endRestore");
7042                    mObserver = null;
7043                }
7044            }
7045        }
7046    }
7047
7048    // ***** end new engine class ***
7049
7050    // Used for synchronizing doRestoreFinished during adb restore
7051    class AdbRestoreFinishedLatch implements BackupRestoreTask {
7052        static final String TAG = "AdbRestoreFinishedLatch";
7053        final CountDownLatch mLatch;
7054        private final int mCurrentOpToken;
7055
7056        AdbRestoreFinishedLatch(int currentOpToken) {
7057            mLatch = new CountDownLatch(1);
7058            mCurrentOpToken = currentOpToken;
7059        }
7060
7061        void await() {
7062            boolean latched = false;
7063            try {
7064                latched = mLatch.await(TIMEOUT_FULL_BACKUP_INTERVAL, TimeUnit.MILLISECONDS);
7065            } catch (InterruptedException e) {
7066                Slog.w(TAG, "Interrupted!");
7067            }
7068        }
7069
7070        @Override
7071        public void execute() {
7072            // Unused
7073        }
7074
7075        @Override
7076        public void operationComplete(long result) {
7077            if (MORE_DEBUG) {
7078                Slog.w(TAG, "adb onRestoreFinished() complete");
7079            }
7080            mLatch.countDown();
7081            removeOperation(mCurrentOpToken);
7082        }
7083
7084        @Override
7085        public void handleCancel(boolean cancelAll) {
7086            if (DEBUG) {
7087                Slog.w(TAG, "adb onRestoreFinished() timed out");
7088            }
7089            mLatch.countDown();
7090            removeOperation(mCurrentOpToken);
7091        }
7092    }
7093
7094    class PerformAdbRestoreTask implements Runnable {
7095        ParcelFileDescriptor mInputFile;
7096        String mCurrentPassword;
7097        String mDecryptPassword;
7098        IFullBackupRestoreObserver mObserver;
7099        AtomicBoolean mLatchObject;
7100        IBackupAgent mAgent;
7101        PackageManagerBackupAgent mPackageManagerBackupAgent;
7102        String mAgentPackage;
7103        ApplicationInfo mTargetApp;
7104        FullBackupObbConnection mObbConnection = null;
7105        ParcelFileDescriptor[] mPipes = null;
7106        byte[] mWidgetData = null;
7107
7108        long mBytes;
7109
7110        // Runner that can be placed on a separate thread to do in-process invocation
7111        // of the "restore finished" API asynchronously.  Used by adb restore.
7112        class RestoreFinishedRunnable implements Runnable {
7113            final IBackupAgent mAgent;
7114            final int mToken;
7115
7116            RestoreFinishedRunnable(IBackupAgent agent, int token) {
7117                mAgent = agent;
7118                mToken = token;
7119            }
7120
7121            @Override
7122            public void run() {
7123                try {
7124                    mAgent.doRestoreFinished(mToken, mBackupManagerBinder);
7125                } catch (RemoteException e) {
7126                    // never happens; this is used only for local binder calls
7127                }
7128            }
7129        }
7130
7131        // possible handling states for a given package in the restore dataset
7132        final HashMap<String, RestorePolicy> mPackagePolicies
7133                = new HashMap<String, RestorePolicy>();
7134
7135        // installer package names for each encountered app, derived from the manifests
7136        final HashMap<String, String> mPackageInstallers = new HashMap<String, String>();
7137
7138        // Signatures for a given package found in its manifest file
7139        final HashMap<String, Signature[]> mManifestSignatures
7140                = new HashMap<String, Signature[]>();
7141
7142        // Packages we've already wiped data on when restoring their first file
7143        final HashSet<String> mClearedPackages = new HashSet<String>();
7144
7145        PerformAdbRestoreTask(ParcelFileDescriptor fd, String curPassword, String decryptPassword,
7146                IFullBackupRestoreObserver observer, AtomicBoolean latch) {
7147            mInputFile = fd;
7148            mCurrentPassword = curPassword;
7149            mDecryptPassword = decryptPassword;
7150            mObserver = observer;
7151            mLatchObject = latch;
7152            mAgent = null;
7153            mPackageManagerBackupAgent = new PackageManagerBackupAgent(mPackageManager);
7154            mAgentPackage = null;
7155            mTargetApp = null;
7156            mObbConnection = new FullBackupObbConnection();
7157
7158            // Which packages we've already wiped data on.  We prepopulate this
7159            // with a whitelist of packages known to be unclearable.
7160            mClearedPackages.add("android");
7161            mClearedPackages.add(SETTINGS_PACKAGE);
7162        }
7163
7164        class RestoreFileRunnable implements Runnable {
7165            IBackupAgent mAgent;
7166            FileMetadata mInfo;
7167            ParcelFileDescriptor mSocket;
7168            int mToken;
7169
7170            RestoreFileRunnable(IBackupAgent agent, FileMetadata info,
7171                    ParcelFileDescriptor socket, int token) throws IOException {
7172                mAgent = agent;
7173                mInfo = info;
7174                mToken = token;
7175
7176                // This class is used strictly for process-local binder invocations.  The
7177                // semantics of ParcelFileDescriptor differ in this case; in particular, we
7178                // do not automatically get a 'dup'ed descriptor that we can can continue
7179                // to use asynchronously from the caller.  So, we make sure to dup it ourselves
7180                // before proceeding to do the restore.
7181                mSocket = ParcelFileDescriptor.dup(socket.getFileDescriptor());
7182            }
7183
7184            @Override
7185            public void run() {
7186                try {
7187                    mAgent.doRestoreFile(mSocket, mInfo.size, mInfo.type,
7188                            mInfo.domain, mInfo.path, mInfo.mode, mInfo.mtime,
7189                            mToken, mBackupManagerBinder);
7190                } catch (RemoteException e) {
7191                    // never happens; this is used strictly for local binder calls
7192                }
7193            }
7194        }
7195
7196        @Override
7197        public void run() {
7198            Slog.i(TAG, "--- Performing full-dataset restore ---");
7199            mObbConnection.establish();
7200            sendStartRestore();
7201
7202            // Are we able to restore shared-storage data?
7203            if (Environment.getExternalStorageState().equals(Environment.MEDIA_MOUNTED)) {
7204                mPackagePolicies.put(SHARED_BACKUP_AGENT_PACKAGE, RestorePolicy.ACCEPT);
7205            }
7206
7207            FileInputStream rawInStream = null;
7208            DataInputStream rawDataIn = null;
7209            try {
7210                if (!backupPasswordMatches(mCurrentPassword)) {
7211                    if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
7212                    return;
7213                }
7214
7215                mBytes = 0;
7216                byte[] buffer = new byte[32 * 1024];
7217                rawInStream = new FileInputStream(mInputFile.getFileDescriptor());
7218                rawDataIn = new DataInputStream(rawInStream);
7219
7220                // First, parse out the unencrypted/uncompressed header
7221                boolean compressed = false;
7222                InputStream preCompressStream = rawInStream;
7223                final InputStream in;
7224
7225                boolean okay = false;
7226                final int headerLen = BACKUP_FILE_HEADER_MAGIC.length();
7227                byte[] streamHeader = new byte[headerLen];
7228                rawDataIn.readFully(streamHeader);
7229                byte[] magicBytes = BACKUP_FILE_HEADER_MAGIC.getBytes("UTF-8");
7230                if (Arrays.equals(magicBytes, streamHeader)) {
7231                    // okay, header looks good.  now parse out the rest of the fields.
7232                    String s = readHeaderLine(rawInStream);
7233                    final int archiveVersion = Integer.parseInt(s);
7234                    if (archiveVersion <= BACKUP_FILE_VERSION) {
7235                        // okay, it's a version we recognize.  if it's version 1, we may need
7236                        // to try two different PBKDF2 regimes to compare checksums.
7237                        final boolean pbkdf2Fallback = (archiveVersion == 1);
7238
7239                        s = readHeaderLine(rawInStream);
7240                        compressed = (Integer.parseInt(s) != 0);
7241                        s = readHeaderLine(rawInStream);
7242                        if (s.equals("none")) {
7243                            // no more header to parse; we're good to go
7244                            okay = true;
7245                        } else if (mDecryptPassword != null && mDecryptPassword.length() > 0) {
7246                            preCompressStream = decodeAesHeaderAndInitialize(s, pbkdf2Fallback,
7247                                    rawInStream);
7248                            if (preCompressStream != null) {
7249                                okay = true;
7250                            }
7251                        } else Slog.w(TAG, "Archive is encrypted but no password given");
7252                    } else Slog.w(TAG, "Wrong header version: " + s);
7253                } else Slog.w(TAG, "Didn't read the right header magic");
7254
7255                if (!okay) {
7256                    Slog.w(TAG, "Invalid restore data; aborting.");
7257                    return;
7258                }
7259
7260                // okay, use the right stream layer based on compression
7261                in = (compressed) ? new InflaterInputStream(preCompressStream) : preCompressStream;
7262
7263                boolean didRestore;
7264                do {
7265                    didRestore = restoreOneFile(in, buffer);
7266                } while (didRestore);
7267
7268                if (MORE_DEBUG) Slog.v(TAG, "Done consuming input tarfile, total bytes=" + mBytes);
7269            } catch (IOException e) {
7270                Slog.e(TAG, "Unable to read restore input");
7271            } finally {
7272                tearDownPipes();
7273                tearDownAgent(mTargetApp, true);
7274
7275                try {
7276                    if (rawDataIn != null) rawDataIn.close();
7277                    if (rawInStream != null) rawInStream.close();
7278                    mInputFile.close();
7279                } catch (IOException e) {
7280                    Slog.w(TAG, "Close of restore data pipe threw", e);
7281                    /* nothing we can do about this */
7282                }
7283                synchronized (mLatchObject) {
7284                    mLatchObject.set(true);
7285                    mLatchObject.notifyAll();
7286                }
7287                mObbConnection.tearDown();
7288                sendEndRestore();
7289                Slog.d(TAG, "Full restore pass complete.");
7290                mWakelock.release();
7291            }
7292        }
7293
7294        String readHeaderLine(InputStream in) throws IOException {
7295            int c;
7296            StringBuilder buffer = new StringBuilder(80);
7297            while ((c = in.read()) >= 0) {
7298                if (c == '\n') break;   // consume and discard the newlines
7299                buffer.append((char)c);
7300            }
7301            return buffer.toString();
7302        }
7303
7304        InputStream attemptMasterKeyDecryption(String algorithm, byte[] userSalt, byte[] ckSalt,
7305                int rounds, String userIvHex, String masterKeyBlobHex, InputStream rawInStream,
7306                boolean doLog) {
7307            InputStream result = null;
7308
7309            try {
7310                Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
7311                SecretKey userKey = buildPasswordKey(algorithm, mDecryptPassword, userSalt,
7312                        rounds);
7313                byte[] IV = hexToByteArray(userIvHex);
7314                IvParameterSpec ivSpec = new IvParameterSpec(IV);
7315                c.init(Cipher.DECRYPT_MODE,
7316                        new SecretKeySpec(userKey.getEncoded(), "AES"),
7317                        ivSpec);
7318                byte[] mkCipher = hexToByteArray(masterKeyBlobHex);
7319                byte[] mkBlob = c.doFinal(mkCipher);
7320
7321                // first, the master key IV
7322                int offset = 0;
7323                int len = mkBlob[offset++];
7324                IV = Arrays.copyOfRange(mkBlob, offset, offset + len);
7325                offset += len;
7326                // then the master key itself
7327                len = mkBlob[offset++];
7328                byte[] mk = Arrays.copyOfRange(mkBlob,
7329                        offset, offset + len);
7330                offset += len;
7331                // and finally the master key checksum hash
7332                len = mkBlob[offset++];
7333                byte[] mkChecksum = Arrays.copyOfRange(mkBlob,
7334                        offset, offset + len);
7335
7336                // now validate the decrypted master key against the checksum
7337                byte[] calculatedCk = makeKeyChecksum(algorithm, mk, ckSalt, rounds);
7338                if (Arrays.equals(calculatedCk, mkChecksum)) {
7339                    ivSpec = new IvParameterSpec(IV);
7340                    c.init(Cipher.DECRYPT_MODE,
7341                            new SecretKeySpec(mk, "AES"),
7342                            ivSpec);
7343                    // Only if all of the above worked properly will 'result' be assigned
7344                    result = new CipherInputStream(rawInStream, c);
7345                } else if (doLog) Slog.w(TAG, "Incorrect password");
7346            } catch (InvalidAlgorithmParameterException e) {
7347                if (doLog) Slog.e(TAG, "Needed parameter spec unavailable!", e);
7348            } catch (BadPaddingException e) {
7349                // This case frequently occurs when the wrong password is used to decrypt
7350                // the master key.  Use the identical "incorrect password" log text as is
7351                // used in the checksum failure log in order to avoid providing additional
7352                // information to an attacker.
7353                if (doLog) Slog.w(TAG, "Incorrect password");
7354            } catch (IllegalBlockSizeException e) {
7355                if (doLog) Slog.w(TAG, "Invalid block size in master key");
7356            } catch (NoSuchAlgorithmException e) {
7357                if (doLog) Slog.e(TAG, "Needed decryption algorithm unavailable!");
7358            } catch (NoSuchPaddingException e) {
7359                if (doLog) Slog.e(TAG, "Needed padding mechanism unavailable!");
7360            } catch (InvalidKeyException e) {
7361                if (doLog) Slog.w(TAG, "Illegal password; aborting");
7362            }
7363
7364            return result;
7365        }
7366
7367        InputStream decodeAesHeaderAndInitialize(String encryptionName, boolean pbkdf2Fallback,
7368                InputStream rawInStream) {
7369            InputStream result = null;
7370            try {
7371                if (encryptionName.equals(ENCRYPTION_ALGORITHM_NAME)) {
7372
7373                    String userSaltHex = readHeaderLine(rawInStream); // 5
7374                    byte[] userSalt = hexToByteArray(userSaltHex);
7375
7376                    String ckSaltHex = readHeaderLine(rawInStream); // 6
7377                    byte[] ckSalt = hexToByteArray(ckSaltHex);
7378
7379                    int rounds = Integer.parseInt(readHeaderLine(rawInStream)); // 7
7380                    String userIvHex = readHeaderLine(rawInStream); // 8
7381
7382                    String masterKeyBlobHex = readHeaderLine(rawInStream); // 9
7383
7384                    // decrypt the master key blob
7385                    result = attemptMasterKeyDecryption(PBKDF_CURRENT, userSalt, ckSalt,
7386                            rounds, userIvHex, masterKeyBlobHex, rawInStream, false);
7387                    if (result == null && pbkdf2Fallback) {
7388                        result = attemptMasterKeyDecryption(PBKDF_FALLBACK, userSalt, ckSalt,
7389                                rounds, userIvHex, masterKeyBlobHex, rawInStream, true);
7390                    }
7391                } else Slog.w(TAG, "Unsupported encryption method: " + encryptionName);
7392            } catch (NumberFormatException e) {
7393                Slog.w(TAG, "Can't parse restore data header");
7394            } catch (IOException e) {
7395                Slog.w(TAG, "Can't read input header");
7396            }
7397
7398            return result;
7399        }
7400
7401        boolean restoreOneFile(InputStream instream, byte[] buffer) {
7402            FileMetadata info;
7403            try {
7404                info = readTarHeaders(instream);
7405                if (info != null) {
7406                    if (MORE_DEBUG) {
7407                        dumpFileMetadata(info);
7408                    }
7409
7410                    final String pkg = info.packageName;
7411                    if (!pkg.equals(mAgentPackage)) {
7412                        // okay, change in package; set up our various
7413                        // bookkeeping if we haven't seen it yet
7414                        if (!mPackagePolicies.containsKey(pkg)) {
7415                            mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
7416                        }
7417
7418                        // Clean up the previous agent relationship if necessary,
7419                        // and let the observer know we're considering a new app.
7420                        if (mAgent != null) {
7421                            if (DEBUG) Slog.d(TAG, "Saw new package; finalizing old one");
7422                            // Now we're really done
7423                            tearDownPipes();
7424                            tearDownAgent(mTargetApp, true);
7425                            mTargetApp = null;
7426                            mAgentPackage = null;
7427                        }
7428                    }
7429
7430                    if (info.path.equals(BACKUP_MANIFEST_FILENAME)) {
7431                        mPackagePolicies.put(pkg, readAppManifest(info, instream));
7432                        mPackageInstallers.put(pkg, info.installerPackageName);
7433                        // We've read only the manifest content itself at this point,
7434                        // so consume the footer before looping around to the next
7435                        // input file
7436                        skipTarPadding(info.size, instream);
7437                        sendOnRestorePackage(pkg);
7438                    } else if (info.path.equals(BACKUP_METADATA_FILENAME)) {
7439                        // Metadata blobs!
7440                        readMetadata(info, instream);
7441                        skipTarPadding(info.size, instream);
7442                    } else {
7443                        // Non-manifest, so it's actual file data.  Is this a package
7444                        // we're ignoring?
7445                        boolean okay = true;
7446                        RestorePolicy policy = mPackagePolicies.get(pkg);
7447                        switch (policy) {
7448                            case IGNORE:
7449                                okay = false;
7450                                break;
7451
7452                            case ACCEPT_IF_APK:
7453                                // If we're in accept-if-apk state, then the first file we
7454                                // see MUST be the apk.
7455                                if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
7456                                    if (DEBUG) Slog.d(TAG, "APK file; installing");
7457                                    // Try to install the app.
7458                                    String installerName = mPackageInstallers.get(pkg);
7459                                    okay = installApk(info, installerName, instream);
7460                                    // good to go; promote to ACCEPT
7461                                    mPackagePolicies.put(pkg, (okay)
7462                                            ? RestorePolicy.ACCEPT
7463                                            : RestorePolicy.IGNORE);
7464                                    // At this point we've consumed this file entry
7465                                    // ourselves, so just strip the tar footer and
7466                                    // go on to the next file in the input stream
7467                                    skipTarPadding(info.size, instream);
7468                                    return true;
7469                                } else {
7470                                    // File data before (or without) the apk.  We can't
7471                                    // handle it coherently in this case so ignore it.
7472                                    mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
7473                                    okay = false;
7474                                }
7475                                break;
7476
7477                            case ACCEPT:
7478                                if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
7479                                    if (DEBUG) Slog.d(TAG, "apk present but ACCEPT");
7480                                    // we can take the data without the apk, so we
7481                                    // *want* to do so.  skip the apk by declaring this
7482                                    // one file not-okay without changing the restore
7483                                    // policy for the package.
7484                                    okay = false;
7485                                }
7486                                break;
7487
7488                            default:
7489                                // Something has gone dreadfully wrong when determining
7490                                // the restore policy from the manifest.  Ignore the
7491                                // rest of this package's data.
7492                                Slog.e(TAG, "Invalid policy from manifest");
7493                                okay = false;
7494                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
7495                                break;
7496                        }
7497
7498                        // The path needs to be canonical
7499                        if (info.path.contains("..") || info.path.contains("//")) {
7500                            if (MORE_DEBUG) {
7501                                Slog.w(TAG, "Dropping invalid path " + info.path);
7502                            }
7503                            okay = false;
7504                        }
7505
7506                        // If the policy is satisfied, go ahead and set up to pipe the
7507                        // data to the agent.
7508                        if (DEBUG && okay && mAgent != null) {
7509                            Slog.i(TAG, "Reusing existing agent instance");
7510                        }
7511                        if (okay && mAgent == null) {
7512                            if (DEBUG) Slog.d(TAG, "Need to launch agent for " + pkg);
7513
7514                            try {
7515                                mTargetApp = mPackageManager.getApplicationInfo(pkg, 0);
7516
7517                                // If we haven't sent any data to this app yet, we probably
7518                                // need to clear it first.  Check that.
7519                                if (!mClearedPackages.contains(pkg)) {
7520                                    // apps with their own backup agents are
7521                                    // responsible for coherently managing a full
7522                                    // restore.
7523                                    if (mTargetApp.backupAgentName == null) {
7524                                        if (DEBUG) Slog.d(TAG, "Clearing app data preparatory to full restore");
7525                                        clearApplicationDataSynchronous(pkg);
7526                                    } else {
7527                                        if (DEBUG) Slog.d(TAG, "backup agent ("
7528                                                + mTargetApp.backupAgentName + ") => no clear");
7529                                    }
7530                                    mClearedPackages.add(pkg);
7531                                } else {
7532                                    if (DEBUG) Slog.d(TAG, "We've initialized this app already; no clear required");
7533                                }
7534
7535                                // All set; now set up the IPC and launch the agent
7536                                setUpPipes();
7537                                mAgent = bindToAgentSynchronous(mTargetApp,
7538                                        ApplicationThreadConstants.BACKUP_MODE_RESTORE_FULL);
7539                                mAgentPackage = pkg;
7540                            } catch (IOException e) {
7541                                // fall through to error handling
7542                            } catch (NameNotFoundException e) {
7543                                // fall through to error handling
7544                            }
7545
7546                            if (mAgent == null) {
7547                                if (DEBUG) Slog.d(TAG, "Unable to create agent for " + pkg);
7548                                okay = false;
7549                                tearDownPipes();
7550                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
7551                            }
7552                        }
7553
7554                        // Sanity check: make sure we never give data to the wrong app.  This
7555                        // should never happen but a little paranoia here won't go amiss.
7556                        if (okay && !pkg.equals(mAgentPackage)) {
7557                            Slog.e(TAG, "Restoring data for " + pkg
7558                                    + " but agent is for " + mAgentPackage);
7559                            okay = false;
7560                        }
7561
7562                        // At this point we have an agent ready to handle the full
7563                        // restore data as well as a pipe for sending data to
7564                        // that agent.  Tell the agent to start reading from the
7565                        // pipe.
7566                        if (okay) {
7567                            boolean agentSuccess = true;
7568                            long toCopy = info.size;
7569                            final boolean isSharedStorage = pkg.equals(SHARED_BACKUP_AGENT_PACKAGE);
7570                            final long timeout = isSharedStorage ?
7571                                    TIMEOUT_SHARED_BACKUP_INTERVAL : TIMEOUT_RESTORE_INTERVAL;
7572                            final int token = generateRandomIntegerToken();
7573                            try {
7574                                prepareOperationTimeout(token, timeout, null,
7575                                        OP_TYPE_RESTORE_WAIT);
7576                                if (FullBackup.OBB_TREE_TOKEN.equals(info.domain)) {
7577                                    if (DEBUG) Slog.d(TAG, "Restoring OBB file for " + pkg
7578                                            + " : " + info.path);
7579                                    mObbConnection.restoreObbFile(pkg, mPipes[0],
7580                                            info.size, info.type, info.path, info.mode,
7581                                            info.mtime, token, mBackupManagerBinder);
7582                                } else if (FullBackup.KEY_VALUE_DATA_TOKEN.equals(info.domain)) {
7583                                    if (DEBUG) Slog.d(TAG, "Restoring key-value file for " + pkg
7584                                            + " : " + info.path);
7585                                    KeyValueAdbRestoreEngine restoreEngine =
7586                                            new KeyValueAdbRestoreEngine(BackupManagerService.this,
7587                                                    mDataDir, info, mPipes[0], mAgent, token);
7588                                    new Thread(restoreEngine, "restore-key-value-runner").start();
7589                                } else {
7590                                    if (DEBUG) Slog.d(TAG, "Invoking agent to restore file "
7591                                            + info.path);
7592                                    // fire up the app's agent listening on the socket.  If
7593                                    // the agent is running in the system process we can't
7594                                    // just invoke it asynchronously, so we provide a thread
7595                                    // for it here.
7596                                    if (mTargetApp.processName.equals("system")) {
7597                                        Slog.d(TAG, "system process agent - spinning a thread");
7598                                        RestoreFileRunnable runner = new RestoreFileRunnable(
7599                                                mAgent, info, mPipes[0], token);
7600                                        new Thread(runner, "restore-sys-runner").start();
7601                                    } else {
7602                                        mAgent.doRestoreFile(mPipes[0], info.size, info.type,
7603                                                info.domain, info.path, info.mode, info.mtime,
7604                                                token, mBackupManagerBinder);
7605                                    }
7606                                }
7607                            } catch (IOException e) {
7608                                // couldn't dup the socket for a process-local restore
7609                                Slog.d(TAG, "Couldn't establish restore");
7610                                agentSuccess = false;
7611                                okay = false;
7612                            } catch (RemoteException e) {
7613                                // whoops, remote entity went away.  We'll eat the content
7614                                // ourselves, then, and not copy it over.
7615                                Slog.e(TAG, "Agent crashed during full restore");
7616                                agentSuccess = false;
7617                                okay = false;
7618                            }
7619
7620                            // Copy over the data if the agent is still good
7621                            if (okay) {
7622                                boolean pipeOkay = true;
7623                                FileOutputStream pipe = new FileOutputStream(
7624                                        mPipes[1].getFileDescriptor());
7625                                while (toCopy > 0) {
7626                                    int toRead = (toCopy > buffer.length)
7627                                    ? buffer.length : (int)toCopy;
7628                                    int nRead = instream.read(buffer, 0, toRead);
7629                                    if (nRead >= 0) mBytes += nRead;
7630                                    if (nRead <= 0) break;
7631                                    toCopy -= nRead;
7632
7633                                    // send it to the output pipe as long as things
7634                                    // are still good
7635                                    if (pipeOkay) {
7636                                        try {
7637                                            pipe.write(buffer, 0, nRead);
7638                                        } catch (IOException e) {
7639                                            Slog.e(TAG, "Failed to write to restore pipe", e);
7640                                            pipeOkay = false;
7641                                        }
7642                                    }
7643                                }
7644
7645                                // done sending that file!  Now we just need to consume
7646                                // the delta from info.size to the end of block.
7647                                skipTarPadding(info.size, instream);
7648
7649                                // and now that we've sent it all, wait for the remote
7650                                // side to acknowledge receipt
7651                                agentSuccess = waitUntilOperationComplete(token);
7652                            }
7653
7654                            // okay, if the remote end failed at any point, deal with
7655                            // it by ignoring the rest of the restore on it
7656                            if (!agentSuccess) {
7657                                if (DEBUG) {
7658                                    Slog.d(TAG, "Agent failure restoring " + pkg + "; now ignoring");
7659                                }
7660                                mBackupHandler.removeMessages(MSG_RESTORE_OPERATION_TIMEOUT);
7661                                tearDownPipes();
7662                                tearDownAgent(mTargetApp, false);
7663                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
7664                            }
7665                        }
7666
7667                        // Problems setting up the agent communication, or an already-
7668                        // ignored package: skip to the next tar stream entry by
7669                        // reading and discarding this file.
7670                        if (!okay) {
7671                            if (DEBUG) Slog.d(TAG, "[discarding file content]");
7672                            long bytesToConsume = (info.size + 511) & ~511;
7673                            while (bytesToConsume > 0) {
7674                                int toRead = (bytesToConsume > buffer.length)
7675                                ? buffer.length : (int)bytesToConsume;
7676                                long nRead = instream.read(buffer, 0, toRead);
7677                                if (nRead >= 0) mBytes += nRead;
7678                                if (nRead <= 0) break;
7679                                bytesToConsume -= nRead;
7680                            }
7681                        }
7682                    }
7683                }
7684            } catch (IOException e) {
7685                if (DEBUG) Slog.w(TAG, "io exception on restore socket read", e);
7686                // treat as EOF
7687                info = null;
7688            }
7689
7690            return (info != null);
7691        }
7692
7693        void setUpPipes() throws IOException {
7694            mPipes = ParcelFileDescriptor.createPipe();
7695        }
7696
7697        void tearDownPipes() {
7698            if (mPipes != null) {
7699                try {
7700                    mPipes[0].close();
7701                    mPipes[0] = null;
7702                    mPipes[1].close();
7703                    mPipes[1] = null;
7704                } catch (IOException e) {
7705                    Slog.w(TAG, "Couldn't close agent pipes", e);
7706                }
7707                mPipes = null;
7708            }
7709        }
7710
7711        void tearDownAgent(ApplicationInfo app, boolean doRestoreFinished) {
7712            if (mAgent != null) {
7713                try {
7714                    // In the adb restore case, we do restore-finished here
7715                    if (doRestoreFinished) {
7716                        final int token = generateRandomIntegerToken();
7717                        final AdbRestoreFinishedLatch latch = new AdbRestoreFinishedLatch(token);
7718                        prepareOperationTimeout(token, TIMEOUT_FULL_BACKUP_INTERVAL, latch,
7719                                OP_TYPE_RESTORE_WAIT);
7720                        if (mTargetApp.processName.equals("system")) {
7721                            if (MORE_DEBUG) {
7722                                Slog.d(TAG, "system agent - restoreFinished on thread");
7723                            }
7724                            Runnable runner = new RestoreFinishedRunnable(mAgent, token);
7725                            new Thread(runner, "restore-sys-finished-runner").start();
7726                        } else {
7727                            mAgent.doRestoreFinished(token, mBackupManagerBinder);
7728                        }
7729
7730                        latch.await();
7731                    }
7732
7733                    // unbind and tidy up even on timeout or failure, just in case
7734                    mActivityManager.unbindBackupAgent(app);
7735
7736                    // The agent was running with a stub Application object, so shut it down.
7737                    // !!! We hardcode the confirmation UI's package name here rather than use a
7738                    //     manifest flag!  TODO something less direct.
7739                    if (app.uid >= Process.FIRST_APPLICATION_UID
7740                            && !app.packageName.equals("com.android.backupconfirm")) {
7741                        if (DEBUG) Slog.d(TAG, "Killing host process");
7742                        mActivityManager.killApplicationProcess(app.processName, app.uid);
7743                    } else {
7744                        if (DEBUG) Slog.d(TAG, "Not killing after full restore");
7745                    }
7746                } catch (RemoteException e) {
7747                    Slog.d(TAG, "Lost app trying to shut down");
7748                }
7749                mAgent = null;
7750            }
7751        }
7752
7753        class RestoreInstallObserver extends PackageInstallObserver {
7754            final AtomicBoolean mDone = new AtomicBoolean();
7755            String mPackageName;
7756            int mResult;
7757
7758            public void reset() {
7759                synchronized (mDone) {
7760                    mDone.set(false);
7761                }
7762            }
7763
7764            public void waitForCompletion() {
7765                synchronized (mDone) {
7766                    while (mDone.get() == false) {
7767                        try {
7768                            mDone.wait();
7769                        } catch (InterruptedException e) { }
7770                    }
7771                }
7772            }
7773
7774            int getResult() {
7775                return mResult;
7776            }
7777
7778            @Override
7779            public void onPackageInstalled(String packageName, int returnCode,
7780                    String msg, Bundle extras) {
7781                synchronized (mDone) {
7782                    mResult = returnCode;
7783                    mPackageName = packageName;
7784                    mDone.set(true);
7785                    mDone.notifyAll();
7786                }
7787            }
7788        }
7789
7790        class RestoreDeleteObserver extends IPackageDeleteObserver.Stub {
7791            final AtomicBoolean mDone = new AtomicBoolean();
7792            int mResult;
7793
7794            public void reset() {
7795                synchronized (mDone) {
7796                    mDone.set(false);
7797                }
7798            }
7799
7800            public void waitForCompletion() {
7801                synchronized (mDone) {
7802                    while (mDone.get() == false) {
7803                        try {
7804                            mDone.wait();
7805                        } catch (InterruptedException e) { }
7806                    }
7807                }
7808            }
7809
7810            @Override
7811            public void packageDeleted(String packageName, int returnCode) throws RemoteException {
7812                synchronized (mDone) {
7813                    mResult = returnCode;
7814                    mDone.set(true);
7815                    mDone.notifyAll();
7816                }
7817            }
7818        }
7819
7820        final RestoreInstallObserver mInstallObserver = new RestoreInstallObserver();
7821        final RestoreDeleteObserver mDeleteObserver = new RestoreDeleteObserver();
7822
7823        boolean installApk(FileMetadata info, String installerPackage, InputStream instream) {
7824            boolean okay = true;
7825
7826            if (DEBUG) Slog.d(TAG, "Installing from backup: " + info.packageName);
7827
7828            // The file content is an .apk file.  Copy it out to a staging location and
7829            // attempt to install it.
7830            File apkFile = new File(mDataDir, info.packageName);
7831            try {
7832                FileOutputStream apkStream = new FileOutputStream(apkFile);
7833                byte[] buffer = new byte[32 * 1024];
7834                long size = info.size;
7835                while (size > 0) {
7836                    long toRead = (buffer.length < size) ? buffer.length : size;
7837                    int didRead = instream.read(buffer, 0, (int)toRead);
7838                    if (didRead >= 0) mBytes += didRead;
7839                    apkStream.write(buffer, 0, didRead);
7840                    size -= didRead;
7841                }
7842                apkStream.close();
7843
7844                // make sure the installer can read it
7845                apkFile.setReadable(true, false);
7846
7847                // Now install it
7848                Uri packageUri = Uri.fromFile(apkFile);
7849                mInstallObserver.reset();
7850                mPackageManager.installPackage(packageUri, mInstallObserver,
7851                        PackageManager.INSTALL_REPLACE_EXISTING | PackageManager.INSTALL_FROM_ADB,
7852                        installerPackage);
7853                mInstallObserver.waitForCompletion();
7854
7855                if (mInstallObserver.getResult() != PackageManager.INSTALL_SUCCEEDED) {
7856                    // The only time we continue to accept install of data even if the
7857                    // apk install failed is if we had already determined that we could
7858                    // accept the data regardless.
7859                    if (mPackagePolicies.get(info.packageName) != RestorePolicy.ACCEPT) {
7860                        okay = false;
7861                    }
7862                } else {
7863                    // Okay, the install succeeded.  Make sure it was the right app.
7864                    boolean uninstall = false;
7865                    if (!mInstallObserver.mPackageName.equals(info.packageName)) {
7866                        Slog.w(TAG, "Restore stream claimed to include apk for "
7867                                + info.packageName + " but apk was really "
7868                                + mInstallObserver.mPackageName);
7869                        // delete the package we just put in place; it might be fraudulent
7870                        okay = false;
7871                        uninstall = true;
7872                    } else {
7873                        try {
7874                            PackageInfo pkg = mPackageManager.getPackageInfo(info.packageName,
7875                                    PackageManager.GET_SIGNATURES);
7876                            if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_BACKUP) == 0) {
7877                                Slog.w(TAG, "Restore stream contains apk of package "
7878                                        + info.packageName + " but it disallows backup/restore");
7879                                okay = false;
7880                            } else {
7881                                // So far so good -- do the signatures match the manifest?
7882                                Signature[] sigs = mManifestSignatures.get(info.packageName);
7883                                if (signaturesMatch(sigs, pkg)) {
7884                                    // If this is a system-uid app without a declared backup agent,
7885                                    // don't restore any of the file data.
7886                                    if ((pkg.applicationInfo.uid < Process.FIRST_APPLICATION_UID)
7887                                            && (pkg.applicationInfo.backupAgentName == null)) {
7888                                        Slog.w(TAG, "Installed app " + info.packageName
7889                                                + " has restricted uid and no agent");
7890                                        okay = false;
7891                                    }
7892                                } else {
7893                                    Slog.w(TAG, "Installed app " + info.packageName
7894                                            + " signatures do not match restore manifest");
7895                                    okay = false;
7896                                    uninstall = true;
7897                                }
7898                            }
7899                        } catch (NameNotFoundException e) {
7900                            Slog.w(TAG, "Install of package " + info.packageName
7901                                    + " succeeded but now not found");
7902                            okay = false;
7903                        }
7904                    }
7905
7906                    // If we're not okay at this point, we need to delete the package
7907                    // that we just installed.
7908                    if (uninstall) {
7909                        mDeleteObserver.reset();
7910                        mPackageManager.deletePackage(mInstallObserver.mPackageName,
7911                                mDeleteObserver, 0);
7912                        mDeleteObserver.waitForCompletion();
7913                    }
7914                }
7915            } catch (IOException e) {
7916                Slog.e(TAG, "Unable to transcribe restored apk for install");
7917                okay = false;
7918            } finally {
7919                apkFile.delete();
7920            }
7921
7922            return okay;
7923        }
7924
7925        // Given an actual file content size, consume the post-content padding mandated
7926        // by the tar format.
7927        void skipTarPadding(long size, InputStream instream) throws IOException {
7928            long partial = (size + 512) % 512;
7929            if (partial > 0) {
7930                final int needed = 512 - (int)partial;
7931                byte[] buffer = new byte[needed];
7932                if (readExactly(instream, buffer, 0, needed) == needed) {
7933                    mBytes += needed;
7934                } else throw new IOException("Unexpected EOF in padding");
7935            }
7936        }
7937
7938        // Read a widget metadata file, returning the restored blob
7939        void readMetadata(FileMetadata info, InputStream instream) throws IOException {
7940            // Fail on suspiciously large widget dump files
7941            if (info.size > 64 * 1024) {
7942                throw new IOException("Metadata too big; corrupt? size=" + info.size);
7943            }
7944
7945            byte[] buffer = new byte[(int) info.size];
7946            if (readExactly(instream, buffer, 0, (int)info.size) == info.size) {
7947                mBytes += info.size;
7948            } else throw new IOException("Unexpected EOF in widget data");
7949
7950            String[] str = new String[1];
7951            int offset = extractLine(buffer, 0, str);
7952            int version = Integer.parseInt(str[0]);
7953            if (version == BACKUP_MANIFEST_VERSION) {
7954                offset = extractLine(buffer, offset, str);
7955                final String pkg = str[0];
7956                if (info.packageName.equals(pkg)) {
7957                    // Data checks out -- the rest of the buffer is a concatenation of
7958                    // binary blobs as described in the comment at writeAppWidgetData()
7959                    ByteArrayInputStream bin = new ByteArrayInputStream(buffer,
7960                            offset, buffer.length - offset);
7961                    DataInputStream in = new DataInputStream(bin);
7962                    while (bin.available() > 0) {
7963                        int token = in.readInt();
7964                        int size = in.readInt();
7965                        if (size > 64 * 1024) {
7966                            throw new IOException("Datum "
7967                                    + Integer.toHexString(token)
7968                                    + " too big; corrupt? size=" + info.size);
7969                        }
7970                        switch (token) {
7971                            case BACKUP_WIDGET_METADATA_TOKEN:
7972                            {
7973                                if (MORE_DEBUG) {
7974                                    Slog.i(TAG, "Got widget metadata for " + info.packageName);
7975                                }
7976                                mWidgetData = new byte[size];
7977                                in.read(mWidgetData);
7978                                break;
7979                            }
7980                            default:
7981                            {
7982                                if (DEBUG) {
7983                                    Slog.i(TAG, "Ignoring metadata blob "
7984                                            + Integer.toHexString(token)
7985                                            + " for " + info.packageName);
7986                                }
7987                                in.skipBytes(size);
7988                                break;
7989                            }
7990                        }
7991                    }
7992                } else {
7993                    Slog.w(TAG, "Metadata mismatch: package " + info.packageName
7994                            + " but widget data for " + pkg);
7995                }
7996            } else {
7997                Slog.w(TAG, "Unsupported metadata version " + version);
7998            }
7999        }
8000
8001        // Returns a policy constant; takes a buffer arg to reduce memory churn
8002        RestorePolicy readAppManifest(FileMetadata info, InputStream instream)
8003                throws IOException {
8004            // Fail on suspiciously large manifest files
8005            if (info.size > 64 * 1024) {
8006                throw new IOException("Restore manifest too big; corrupt? size=" + info.size);
8007            }
8008
8009            byte[] buffer = new byte[(int) info.size];
8010            if (readExactly(instream, buffer, 0, (int)info.size) == info.size) {
8011                mBytes += info.size;
8012            } else throw new IOException("Unexpected EOF in manifest");
8013
8014            RestorePolicy policy = RestorePolicy.IGNORE;
8015            String[] str = new String[1];
8016            int offset = 0;
8017
8018            try {
8019                offset = extractLine(buffer, offset, str);
8020                int version = Integer.parseInt(str[0]);
8021                if (version == BACKUP_MANIFEST_VERSION) {
8022                    offset = extractLine(buffer, offset, str);
8023                    String manifestPackage = str[0];
8024                    // TODO: handle <original-package>
8025                    if (manifestPackage.equals(info.packageName)) {
8026                        offset = extractLine(buffer, offset, str);
8027                        version = Integer.parseInt(str[0]);  // app version
8028                        offset = extractLine(buffer, offset, str);
8029                        // This is the platform version, which we don't use, but we parse it
8030                        // as a safety against corruption in the manifest.
8031                        Integer.parseInt(str[0]);
8032                        offset = extractLine(buffer, offset, str);
8033                        info.installerPackageName = (str[0].length() > 0) ? str[0] : null;
8034                        offset = extractLine(buffer, offset, str);
8035                        boolean hasApk = str[0].equals("1");
8036                        offset = extractLine(buffer, offset, str);
8037                        int numSigs = Integer.parseInt(str[0]);
8038                        if (numSigs > 0) {
8039                            Signature[] sigs = new Signature[numSigs];
8040                            for (int i = 0; i < numSigs; i++) {
8041                                offset = extractLine(buffer, offset, str);
8042                                sigs[i] = new Signature(str[0]);
8043                            }
8044                            mManifestSignatures.put(info.packageName, sigs);
8045
8046                            // Okay, got the manifest info we need...
8047                            try {
8048                                PackageInfo pkgInfo = mPackageManager.getPackageInfo(
8049                                        info.packageName, PackageManager.GET_SIGNATURES);
8050                                // Fall through to IGNORE if the app explicitly disallows backup
8051                                final int flags = pkgInfo.applicationInfo.flags;
8052                                if ((flags & ApplicationInfo.FLAG_ALLOW_BACKUP) != 0) {
8053                                    // Restore system-uid-space packages only if they have
8054                                    // defined a custom backup agent
8055                                    if ((pkgInfo.applicationInfo.uid >= Process.FIRST_APPLICATION_UID)
8056                                            || (pkgInfo.applicationInfo.backupAgentName != null)) {
8057                                        // Verify signatures against any installed version; if they
8058                                        // don't match, then we fall though and ignore the data.  The
8059                                        // signatureMatch() method explicitly ignores the signature
8060                                        // check for packages installed on the system partition, because
8061                                        // such packages are signed with the platform cert instead of
8062                                        // the app developer's cert, so they're different on every
8063                                        // device.
8064                                        if (signaturesMatch(sigs, pkgInfo)) {
8065                                            if ((pkgInfo.applicationInfo.flags
8066                                                    & ApplicationInfo.FLAG_RESTORE_ANY_VERSION) != 0) {
8067                                                Slog.i(TAG, "Package has restoreAnyVersion; taking data");
8068                                                policy = RestorePolicy.ACCEPT;
8069                                            } else if (pkgInfo.versionCode >= version) {
8070                                                Slog.i(TAG, "Sig + version match; taking data");
8071                                                policy = RestorePolicy.ACCEPT;
8072                                            } else {
8073                                                // The data is from a newer version of the app than
8074                                                // is presently installed.  That means we can only
8075                                                // use it if the matching apk is also supplied.
8076                                                Slog.d(TAG, "Data version " + version
8077                                                        + " is newer than installed version "
8078                                                        + pkgInfo.versionCode + " - requiring apk");
8079                                                policy = RestorePolicy.ACCEPT_IF_APK;
8080                                            }
8081                                        } else {
8082                                            Slog.w(TAG, "Restore manifest signatures do not match "
8083                                                    + "installed application for " + info.packageName);
8084                                        }
8085                                    } else {
8086                                        Slog.w(TAG, "Package " + info.packageName
8087                                                + " is system level with no agent");
8088                                    }
8089                                } else {
8090                                    if (DEBUG) Slog.i(TAG, "Restore manifest from "
8091                                            + info.packageName + " but allowBackup=false");
8092                                }
8093                            } catch (NameNotFoundException e) {
8094                                // Okay, the target app isn't installed.  We can process
8095                                // the restore properly only if the dataset provides the
8096                                // apk file and we can successfully install it.
8097                                if (DEBUG) Slog.i(TAG, "Package " + info.packageName
8098                                        + " not installed; requiring apk in dataset");
8099                                policy = RestorePolicy.ACCEPT_IF_APK;
8100                            }
8101
8102                            if (policy == RestorePolicy.ACCEPT_IF_APK && !hasApk) {
8103                                Slog.i(TAG, "Cannot restore package " + info.packageName
8104                                        + " without the matching .apk");
8105                            }
8106                        } else {
8107                            Slog.i(TAG, "Missing signature on backed-up package "
8108                                    + info.packageName);
8109                        }
8110                    } else {
8111                        Slog.i(TAG, "Expected package " + info.packageName
8112                                + " but restore manifest claims " + manifestPackage);
8113                    }
8114                } else {
8115                    Slog.i(TAG, "Unknown restore manifest version " + version
8116                            + " for package " + info.packageName);
8117                }
8118            } catch (NumberFormatException e) {
8119                Slog.w(TAG, "Corrupt restore manifest for package " + info.packageName);
8120            } catch (IllegalArgumentException e) {
8121                Slog.w(TAG, e.getMessage());
8122            }
8123
8124            return policy;
8125        }
8126
8127        // Builds a line from a byte buffer starting at 'offset', and returns
8128        // the index of the next unconsumed data in the buffer.
8129        int extractLine(byte[] buffer, int offset, String[] outStr) throws IOException {
8130            final int end = buffer.length;
8131            if (offset >= end) throw new IOException("Incomplete data");
8132
8133            int pos;
8134            for (pos = offset; pos < end; pos++) {
8135                byte c = buffer[pos];
8136                // at LF we declare end of line, and return the next char as the
8137                // starting point for the next time through
8138                if (c == '\n') {
8139                    break;
8140                }
8141            }
8142            outStr[0] = new String(buffer, offset, pos - offset);
8143            pos++;  // may be pointing an extra byte past the end but that's okay
8144            return pos;
8145        }
8146
8147        void dumpFileMetadata(FileMetadata info) {
8148            if (DEBUG) {
8149                StringBuilder b = new StringBuilder(128);
8150
8151                // mode string
8152                b.append((info.type == BackupAgent.TYPE_DIRECTORY) ? 'd' : '-');
8153                b.append(((info.mode & 0400) != 0) ? 'r' : '-');
8154                b.append(((info.mode & 0200) != 0) ? 'w' : '-');
8155                b.append(((info.mode & 0100) != 0) ? 'x' : '-');
8156                b.append(((info.mode & 0040) != 0) ? 'r' : '-');
8157                b.append(((info.mode & 0020) != 0) ? 'w' : '-');
8158                b.append(((info.mode & 0010) != 0) ? 'x' : '-');
8159                b.append(((info.mode & 0004) != 0) ? 'r' : '-');
8160                b.append(((info.mode & 0002) != 0) ? 'w' : '-');
8161                b.append(((info.mode & 0001) != 0) ? 'x' : '-');
8162                b.append(String.format(" %9d ", info.size));
8163
8164                Date stamp = new Date(info.mtime);
8165                b.append(new SimpleDateFormat("MMM dd HH:mm:ss ").format(stamp));
8166
8167                b.append(info.packageName);
8168                b.append(" :: ");
8169                b.append(info.domain);
8170                b.append(" :: ");
8171                b.append(info.path);
8172
8173                Slog.i(TAG, b.toString());
8174            }
8175        }
8176
8177        // Consume a tar file header block [sequence] and accumulate the relevant metadata
8178        FileMetadata readTarHeaders(InputStream instream) throws IOException {
8179            byte[] block = new byte[512];
8180            FileMetadata info = null;
8181
8182            boolean gotHeader = readTarHeader(instream, block);
8183            if (gotHeader) {
8184                try {
8185                    // okay, presume we're okay, and extract the various metadata
8186                    info = new FileMetadata();
8187                    info.size = extractRadix(block, 124, 12, 8);
8188                    info.mtime = extractRadix(block, 136, 12, 8);
8189                    info.mode = extractRadix(block, 100, 8, 8);
8190
8191                    info.path = extractString(block, 345, 155); // prefix
8192                    String path = extractString(block, 0, 100);
8193                    if (path.length() > 0) {
8194                        if (info.path.length() > 0) info.path += '/';
8195                        info.path += path;
8196                    }
8197
8198                    // tar link indicator field: 1 byte at offset 156 in the header.
8199                    int typeChar = block[156];
8200                    if (typeChar == 'x') {
8201                        // pax extended header, so we need to read that
8202                        gotHeader = readPaxExtendedHeader(instream, info);
8203                        if (gotHeader) {
8204                            // and after a pax extended header comes another real header -- read
8205                            // that to find the real file type
8206                            gotHeader = readTarHeader(instream, block);
8207                        }
8208                        if (!gotHeader) throw new IOException("Bad or missing pax header");
8209
8210                        typeChar = block[156];
8211                    }
8212
8213                    switch (typeChar) {
8214                        case '0': info.type = BackupAgent.TYPE_FILE; break;
8215                        case '5': {
8216                            info.type = BackupAgent.TYPE_DIRECTORY;
8217                            if (info.size != 0) {
8218                                Slog.w(TAG, "Directory entry with nonzero size in header");
8219                                info.size = 0;
8220                            }
8221                            break;
8222                        }
8223                        case 0: {
8224                            // presume EOF
8225                            if (DEBUG) Slog.w(TAG, "Saw type=0 in tar header block, info=" + info);
8226                            return null;
8227                        }
8228                        default: {
8229                            Slog.e(TAG, "Unknown tar entity type: " + typeChar);
8230                            throw new IOException("Unknown entity type " + typeChar);
8231                        }
8232                    }
8233
8234                    // Parse out the path
8235                    //
8236                    // first: apps/shared/unrecognized
8237                    if (FullBackup.SHARED_PREFIX.regionMatches(0,
8238                            info.path, 0, FullBackup.SHARED_PREFIX.length())) {
8239                        // File in shared storage.  !!! TODO: implement this.
8240                        info.path = info.path.substring(FullBackup.SHARED_PREFIX.length());
8241                        info.packageName = SHARED_BACKUP_AGENT_PACKAGE;
8242                        info.domain = FullBackup.SHARED_STORAGE_TOKEN;
8243                        if (DEBUG) Slog.i(TAG, "File in shared storage: " + info.path);
8244                    } else if (FullBackup.APPS_PREFIX.regionMatches(0,
8245                            info.path, 0, FullBackup.APPS_PREFIX.length())) {
8246                        // App content!  Parse out the package name and domain
8247
8248                        // strip the apps/ prefix
8249                        info.path = info.path.substring(FullBackup.APPS_PREFIX.length());
8250
8251                        // extract the package name
8252                        int slash = info.path.indexOf('/');
8253                        if (slash < 0) throw new IOException("Illegal semantic path in " + info.path);
8254                        info.packageName = info.path.substring(0, slash);
8255                        info.path = info.path.substring(slash+1);
8256
8257                        // if it's a manifest or metadata payload we're done, otherwise parse
8258                        // out the domain into which the file will be restored
8259                        if (!info.path.equals(BACKUP_MANIFEST_FILENAME)
8260                                && !info.path.equals(BACKUP_METADATA_FILENAME)) {
8261                            slash = info.path.indexOf('/');
8262                            if (slash < 0) throw new IOException("Illegal semantic path in non-manifest " + info.path);
8263                            info.domain = info.path.substring(0, slash);
8264                            info.path = info.path.substring(slash + 1);
8265                        }
8266                    }
8267                } catch (IOException e) {
8268                    if (DEBUG) {
8269                        Slog.e(TAG, "Parse error in header: " + e.getMessage());
8270                        HEXLOG(block);
8271                    }
8272                    throw e;
8273                }
8274            }
8275            return info;
8276        }
8277
8278        private void HEXLOG(byte[] block) {
8279            int offset = 0;
8280            int todo = block.length;
8281            StringBuilder buf = new StringBuilder(64);
8282            while (todo > 0) {
8283                buf.append(String.format("%04x   ", offset));
8284                int numThisLine = (todo > 16) ? 16 : todo;
8285                for (int i = 0; i < numThisLine; i++) {
8286                    buf.append(String.format("%02x ", block[offset+i]));
8287                }
8288                Slog.i("hexdump", buf.toString());
8289                buf.setLength(0);
8290                todo -= numThisLine;
8291                offset += numThisLine;
8292            }
8293        }
8294
8295        // Read exactly the given number of bytes into a buffer at the stated offset.
8296        // Returns false if EOF is encountered before the requested number of bytes
8297        // could be read.
8298        int readExactly(InputStream in, byte[] buffer, int offset, int size)
8299                throws IOException {
8300            if (size <= 0) throw new IllegalArgumentException("size must be > 0");
8301
8302            int soFar = 0;
8303            while (soFar < size) {
8304                int nRead = in.read(buffer, offset + soFar, size - soFar);
8305                if (nRead <= 0) {
8306                    if (MORE_DEBUG) Slog.w(TAG, "- wanted exactly " + size + " but got only " + soFar);
8307                    break;
8308                }
8309                soFar += nRead;
8310            }
8311            return soFar;
8312        }
8313
8314        boolean readTarHeader(InputStream instream, byte[] block) throws IOException {
8315            final int got = readExactly(instream, block, 0, 512);
8316            if (got == 0) return false;     // Clean EOF
8317            if (got < 512) throw new IOException("Unable to read full block header");
8318            mBytes += 512;
8319            return true;
8320        }
8321
8322        // overwrites 'info' fields based on the pax extended header
8323        boolean readPaxExtendedHeader(InputStream instream, FileMetadata info)
8324                throws IOException {
8325            // We should never see a pax extended header larger than this
8326            if (info.size > 32*1024) {
8327                Slog.w(TAG, "Suspiciously large pax header size " + info.size
8328                        + " - aborting");
8329                throw new IOException("Sanity failure: pax header size " + info.size);
8330            }
8331
8332            // read whole blocks, not just the content size
8333            int numBlocks = (int)((info.size + 511) >> 9);
8334            byte[] data = new byte[numBlocks * 512];
8335            if (readExactly(instream, data, 0, data.length) < data.length) {
8336                throw new IOException("Unable to read full pax header");
8337            }
8338            mBytes += data.length;
8339
8340            final int contentSize = (int) info.size;
8341            int offset = 0;
8342            do {
8343                // extract the line at 'offset'
8344                int eol = offset+1;
8345                while (eol < contentSize && data[eol] != ' ') eol++;
8346                if (eol >= contentSize) {
8347                    // error: we just hit EOD looking for the end of the size field
8348                    throw new IOException("Invalid pax data");
8349                }
8350                // eol points to the space between the count and the key
8351                int linelen = (int) extractRadix(data, offset, eol - offset, 10);
8352                int key = eol + 1;  // start of key=value
8353                eol = offset + linelen - 1; // trailing LF
8354                int value;
8355                for (value = key+1; data[value] != '=' && value <= eol; value++);
8356                if (value > eol) {
8357                    throw new IOException("Invalid pax declaration");
8358                }
8359
8360                // pax requires that key/value strings be in UTF-8
8361                String keyStr = new String(data, key, value-key, "UTF-8");
8362                // -1 to strip the trailing LF
8363                String valStr = new String(data, value+1, eol-value-1, "UTF-8");
8364
8365                if ("path".equals(keyStr)) {
8366                    info.path = valStr;
8367                } else if ("size".equals(keyStr)) {
8368                    info.size = Long.parseLong(valStr);
8369                } else {
8370                    if (DEBUG) Slog.i(TAG, "Unhandled pax key: " + key);
8371                }
8372
8373                offset += linelen;
8374            } while (offset < contentSize);
8375
8376            return true;
8377        }
8378
8379        long extractRadix(byte[] data, int offset, int maxChars, int radix)
8380                throws IOException {
8381            long value = 0;
8382            final int end = offset + maxChars;
8383            for (int i = offset; i < end; i++) {
8384                final byte b = data[i];
8385                // Numeric fields in tar can terminate with either NUL or SPC
8386                if (b == 0 || b == ' ') break;
8387                if (b < '0' || b > ('0' + radix - 1)) {
8388                    throw new IOException("Invalid number in header: '" + (char)b + "' for radix " + radix);
8389                }
8390                value = radix * value + (b - '0');
8391            }
8392            return value;
8393        }
8394
8395        String extractString(byte[] data, int offset, int maxChars) throws IOException {
8396            final int end = offset + maxChars;
8397            int eos = offset;
8398            // tar string fields terminate early with a NUL
8399            while (eos < end && data[eos] != 0) eos++;
8400            return new String(data, offset, eos-offset, "US-ASCII");
8401        }
8402
8403        void sendStartRestore() {
8404            if (mObserver != null) {
8405                try {
8406                    mObserver.onStartRestore();
8407                } catch (RemoteException e) {
8408                    Slog.w(TAG, "full restore observer went away: startRestore");
8409                    mObserver = null;
8410                }
8411            }
8412        }
8413
8414        void sendOnRestorePackage(String name) {
8415            if (mObserver != null) {
8416                try {
8417                    // TODO: use a more user-friendly name string
8418                    mObserver.onRestorePackage(name);
8419                } catch (RemoteException e) {
8420                    Slog.w(TAG, "full restore observer went away: restorePackage");
8421                    mObserver = null;
8422                }
8423            }
8424        }
8425
8426        void sendEndRestore() {
8427            if (mObserver != null) {
8428                try {
8429                    mObserver.onEndRestore();
8430                } catch (RemoteException e) {
8431                    Slog.w(TAG, "full restore observer went away: endRestore");
8432                    mObserver = null;
8433                }
8434            }
8435        }
8436    }
8437
8438    // ----- Restore handling -----
8439
8440    // Old style: directly match the stored vs on device signature blocks
8441    static boolean signaturesMatch(Signature[] storedSigs, PackageInfo target) {
8442        if (target == null) {
8443            return false;
8444        }
8445
8446        // If the target resides on the system partition, we allow it to restore
8447        // data from the like-named package in a restore set even if the signatures
8448        // do not match.  (Unlike general applications, those flashed to the system
8449        // partition will be signed with the device's platform certificate, so on
8450        // different phones the same system app will have different signatures.)
8451        if ((target.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
8452            if (MORE_DEBUG) Slog.v(TAG, "System app " + target.packageName + " - skipping sig check");
8453            return true;
8454        }
8455
8456        // Allow unsigned apps, but not signed on one device and unsigned on the other
8457        // !!! TODO: is this the right policy?
8458        Signature[] deviceSigs = target.signatures;
8459        if (MORE_DEBUG) Slog.v(TAG, "signaturesMatch(): stored=" + storedSigs
8460                + " device=" + deviceSigs);
8461        if ((storedSigs == null || storedSigs.length == 0)
8462                && (deviceSigs == null || deviceSigs.length == 0)) {
8463            return true;
8464        }
8465        if (storedSigs == null || deviceSigs == null) {
8466            return false;
8467        }
8468
8469        // !!! TODO: this demands that every stored signature match one
8470        // that is present on device, and does not demand the converse.
8471        // Is this this right policy?
8472        int nStored = storedSigs.length;
8473        int nDevice = deviceSigs.length;
8474
8475        for (int i=0; i < nStored; i++) {
8476            boolean match = false;
8477            for (int j=0; j < nDevice; j++) {
8478                if (storedSigs[i].equals(deviceSigs[j])) {
8479                    match = true;
8480                    break;
8481                }
8482            }
8483            if (!match) {
8484                return false;
8485            }
8486        }
8487        return true;
8488    }
8489
8490    // Used by both incremental and full restore
8491    void restoreWidgetData(String packageName, byte[] widgetData) {
8492        // Apply the restored widget state and generate the ID update for the app
8493        // TODO: http://b/22388012
8494        if (MORE_DEBUG) {
8495            Slog.i(TAG, "Incorporating restored widget data");
8496        }
8497        AppWidgetBackupBridge.restoreWidgetState(packageName, widgetData, UserHandle.USER_SYSTEM);
8498    }
8499
8500    // *****************************
8501    // NEW UNIFIED RESTORE IMPLEMENTATION
8502    // *****************************
8503
8504    // states of the unified-restore state machine
8505    enum UnifiedRestoreState {
8506        INITIAL,
8507        RUNNING_QUEUE,
8508        RESTORE_KEYVALUE,
8509        RESTORE_FULL,
8510        RESTORE_FINISHED,
8511        FINAL
8512    }
8513
8514    class PerformUnifiedRestoreTask implements BackupRestoreTask {
8515        // Transport we're working with to do the restore
8516        private IBackupTransport mTransport;
8517
8518        // Where per-transport saved state goes
8519        File mStateDir;
8520
8521        // Restore observer; may be null
8522        private IRestoreObserver mObserver;
8523
8524        // BackuoManagerMonitor; may be null
8525        private IBackupManagerMonitor mMonitor;
8526
8527        // Token identifying the dataset to the transport
8528        private long mToken;
8529
8530        // When this is a restore-during-install, this is the token identifying the
8531        // operation to the Package Manager, and we must ensure that we let it know
8532        // when we're finished.
8533        private int mPmToken;
8534
8535        // When this is restore-during-install, we need to tell the package manager
8536        // whether we actually launched the app, because this affects notifications
8537        // around externally-visible state transitions.
8538        private boolean mDidLaunch;
8539
8540        // Is this a whole-system restore, i.e. are we establishing a new ancestral
8541        // dataset to base future restore-at-install operations from?
8542        private boolean mIsSystemRestore;
8543
8544        // If this is a single-package restore, what package are we interested in?
8545        private PackageInfo mTargetPackage;
8546
8547        // In all cases, the calculated list of packages that we are trying to restore
8548        private List<PackageInfo> mAcceptSet;
8549
8550        // Our bookkeeping about the ancestral dataset
8551        private PackageManagerBackupAgent mPmAgent;
8552
8553        // Currently-bound backup agent for restore + restoreFinished purposes
8554        private IBackupAgent mAgent;
8555
8556        // What sort of restore we're doing now
8557        private RestoreDescription mRestoreDescription;
8558
8559        // The package we're currently restoring
8560        private PackageInfo mCurrentPackage;
8561
8562        // Widget-related data handled as part of this restore operation
8563        private byte[] mWidgetData;
8564
8565        // Number of apps restored in this pass
8566        private int mCount;
8567
8568        // When did we start?
8569        private long mStartRealtime;
8570
8571        // State machine progress
8572        private UnifiedRestoreState mState;
8573
8574        // How are things going?
8575        private int mStatus;
8576
8577        // Done?
8578        private boolean mFinished;
8579
8580        // Key/value: bookkeeping about staged data and files for agent access
8581        private File mBackupDataName;
8582        private File mStageName;
8583        private File mSavedStateName;
8584        private File mNewStateName;
8585        ParcelFileDescriptor mBackupData;
8586        ParcelFileDescriptor mNewState;
8587
8588        private final int mEphemeralOpToken;
8589
8590        // Invariant: mWakelock is already held, and this task is responsible for
8591        // releasing it at the end of the restore operation.
8592        PerformUnifiedRestoreTask(IBackupTransport transport, IRestoreObserver observer,
8593                IBackupManagerMonitor monitor, long restoreSetToken, PackageInfo targetPackage,
8594                int pmToken, boolean isFullSystemRestore, String[] filterSet) {
8595            mEphemeralOpToken = generateRandomIntegerToken();
8596            mState = UnifiedRestoreState.INITIAL;
8597            mStartRealtime = SystemClock.elapsedRealtime();
8598
8599            mTransport = transport;
8600            mObserver = observer;
8601            mMonitor = monitor;
8602            mToken = restoreSetToken;
8603            mPmToken = pmToken;
8604            mTargetPackage = targetPackage;
8605            mIsSystemRestore = isFullSystemRestore;
8606            mFinished = false;
8607            mDidLaunch = false;
8608
8609            if (targetPackage != null) {
8610                // Single package restore
8611                mAcceptSet = new ArrayList<PackageInfo>();
8612                mAcceptSet.add(targetPackage);
8613            } else {
8614                // Everything possible, or a target set
8615                if (filterSet == null) {
8616                    // We want everything and a pony
8617                    List<PackageInfo> apps =
8618                            PackageManagerBackupAgent.getStorableApplications(mPackageManager);
8619                    filterSet = packagesToNames(apps);
8620                    if (DEBUG) {
8621                        Slog.i(TAG, "Full restore; asking about " + filterSet.length + " apps");
8622                    }
8623                }
8624
8625                mAcceptSet = new ArrayList<PackageInfo>(filterSet.length);
8626
8627                // Pro tem, we insist on moving the settings provider package to last place.
8628                // Keep track of whether it's in the list, and bump it down if so.  We also
8629                // want to do the system package itself first if it's called for.
8630                boolean hasSystem = false;
8631                boolean hasSettings = false;
8632                for (int i = 0; i < filterSet.length; i++) {
8633                    try {
8634                        PackageInfo info = mPackageManager.getPackageInfo(filterSet[i], 0);
8635                        if ("android".equals(info.packageName)) {
8636                            hasSystem = true;
8637                            continue;
8638                        }
8639                        if (SETTINGS_PACKAGE.equals(info.packageName)) {
8640                            hasSettings = true;
8641                            continue;
8642                        }
8643
8644                        if (appIsEligibleForBackup(info.applicationInfo, mPackageManager)) {
8645                            mAcceptSet.add(info);
8646                        }
8647                    } catch (NameNotFoundException e) {
8648                        // requested package name doesn't exist; ignore it
8649                    }
8650                }
8651                if (hasSystem) {
8652                    try {
8653                        mAcceptSet.add(0, mPackageManager.getPackageInfo("android", 0));
8654                    } catch (NameNotFoundException e) {
8655                        // won't happen; we know a priori that it's valid
8656                    }
8657                }
8658                if (hasSettings) {
8659                    try {
8660                        mAcceptSet.add(mPackageManager.getPackageInfo(SETTINGS_PACKAGE, 0));
8661                    } catch (NameNotFoundException e) {
8662                        // this one is always valid too
8663                    }
8664                }
8665            }
8666
8667            if (MORE_DEBUG) {
8668                Slog.v(TAG, "Restore; accept set size is " + mAcceptSet.size());
8669                for (PackageInfo info : mAcceptSet) {
8670                    Slog.v(TAG, "   " + info.packageName);
8671                }
8672            }
8673        }
8674
8675        private String[] packagesToNames(List<PackageInfo> apps) {
8676            final int N = apps.size();
8677            String[] names = new String[N];
8678            for (int i = 0; i < N; i++) {
8679                names[i] = apps.get(i).packageName;
8680            }
8681            return names;
8682        }
8683
8684        // Execute one tick of whatever state machine the task implements
8685        @Override
8686        public void execute() {
8687            if (MORE_DEBUG) Slog.v(TAG, "*** Executing restore step " + mState);
8688            switch (mState) {
8689                case INITIAL:
8690                    startRestore();
8691                    break;
8692
8693                case RUNNING_QUEUE:
8694                    dispatchNextRestore();
8695                    break;
8696
8697                case RESTORE_KEYVALUE:
8698                    restoreKeyValue();
8699                    break;
8700
8701                case RESTORE_FULL:
8702                    restoreFull();
8703                    break;
8704
8705                case RESTORE_FINISHED:
8706                    restoreFinished();
8707                    break;
8708
8709                case FINAL:
8710                    if (!mFinished) finalizeRestore();
8711                    else {
8712                        Slog.e(TAG, "Duplicate finish");
8713                    }
8714                    mFinished = true;
8715                    break;
8716            }
8717        }
8718
8719        /*
8720         * SKETCH OF OPERATION
8721         *
8722         * create one of these PerformUnifiedRestoreTask objects, telling it which
8723         * dataset & transport to address, and then parameters within the restore
8724         * operation: single target package vs many, etc.
8725         *
8726         * 1. transport.startRestore(token, list-of-packages).  If we need @pm@  it is
8727         * always placed first and the settings provider always placed last [for now].
8728         *
8729         * 1a [if we needed @pm@ then nextRestorePackage() and restore the PMBA inline]
8730         *
8731         *   [ state change => RUNNING_QUEUE ]
8732         *
8733         * NOW ITERATE:
8734         *
8735         * { 3. t.nextRestorePackage()
8736         *   4. does the metadata for this package allow us to restore it?
8737         *      does the on-disk app permit us to restore it? [re-check allowBackup etc]
8738         *   5. is this a key/value dataset?  => key/value agent restore
8739         *       [ state change => RESTORE_KEYVALUE ]
8740         *       5a. spin up agent
8741         *       5b. t.getRestoreData() to stage it properly
8742         *       5c. call into agent to perform restore
8743         *       5d. tear down agent
8744         *       [ state change => RUNNING_QUEUE ]
8745         *
8746         *   6. else it's a stream dataset:
8747         *       [ state change => RESTORE_FULL ]
8748         *       6a. instantiate the engine for a stream restore: engine handles agent lifecycles
8749         *       6b. spin off engine runner on separate thread
8750         *       6c. ITERATE getNextFullRestoreDataChunk() and copy data to engine runner socket
8751         *       [ state change => RUNNING_QUEUE ]
8752         * }
8753         *
8754         *   [ state change => FINAL ]
8755         *
8756         * 7. t.finishRestore(), release wakelock, etc.
8757         *
8758         *
8759         */
8760
8761        // state INITIAL : set up for the restore and read the metadata if necessary
8762        private  void startRestore() {
8763            sendStartRestore(mAcceptSet.size());
8764
8765            // If we're starting a full-system restore, set up to begin widget ID remapping
8766            if (mIsSystemRestore) {
8767                // TODO: http://b/22388012
8768                AppWidgetBackupBridge.restoreStarting(UserHandle.USER_SYSTEM);
8769            }
8770
8771            try {
8772                String transportDir = mTransport.transportDirName();
8773                mStateDir = new File(mBaseStateDir, transportDir);
8774
8775                // Fetch the current metadata from the dataset first
8776                PackageInfo pmPackage = new PackageInfo();
8777                pmPackage.packageName = PACKAGE_MANAGER_SENTINEL;
8778                mAcceptSet.add(0, pmPackage);
8779
8780                PackageInfo[] packages = mAcceptSet.toArray(new PackageInfo[0]);
8781                mStatus = mTransport.startRestore(mToken, packages);
8782                if (mStatus != BackupTransport.TRANSPORT_OK) {
8783                    Slog.e(TAG, "Transport error " + mStatus + "; no restore possible");
8784                    mStatus = BackupTransport.TRANSPORT_ERROR;
8785                    executeNextState(UnifiedRestoreState.FINAL);
8786                    return;
8787                }
8788
8789                RestoreDescription desc = mTransport.nextRestorePackage();
8790                if (desc == null) {
8791                    Slog.e(TAG, "No restore metadata available; halting");
8792                    mMonitor = monitorEvent(mMonitor,
8793                            BackupManagerMonitor.LOG_EVENT_ID_NO_RESTORE_METADATA_AVAILABLE,
8794                            mCurrentPackage,
8795                            BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY, null);
8796                    mStatus = BackupTransport.TRANSPORT_ERROR;
8797                    executeNextState(UnifiedRestoreState.FINAL);
8798                    return;
8799                }
8800                if (!PACKAGE_MANAGER_SENTINEL.equals(desc.getPackageName())) {
8801                    Slog.e(TAG, "Required package metadata but got "
8802                            + desc.getPackageName());
8803                    mMonitor = monitorEvent(mMonitor,
8804                            BackupManagerMonitor.LOG_EVENT_ID_NO_PM_METADATA_RECEIVED,
8805                            mCurrentPackage,
8806                            BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY, null);
8807                    mStatus = BackupTransport.TRANSPORT_ERROR;
8808                    executeNextState(UnifiedRestoreState.FINAL);
8809                    return;
8810                }
8811
8812                // Pull the Package Manager metadata from the restore set first
8813                mCurrentPackage = new PackageInfo();
8814                mCurrentPackage.packageName = PACKAGE_MANAGER_SENTINEL;
8815                mPmAgent = new PackageManagerBackupAgent(mPackageManager, null);
8816                mAgent = IBackupAgent.Stub.asInterface(mPmAgent.onBind());
8817                if (MORE_DEBUG) {
8818                    Slog.v(TAG, "initiating restore for PMBA");
8819                }
8820                initiateOneRestore(mCurrentPackage, 0);
8821                // The PM agent called operationComplete() already, because our invocation
8822                // of it is process-local and therefore synchronous.  That means that the
8823                // next-state message (RUNNING_QUEUE) is already enqueued.  Only if we're
8824                // unable to proceed with running the queue do we remove that pending
8825                // message and jump straight to the FINAL state.  Because this was
8826                // synchronous we also know that we should cancel the pending timeout
8827                // message.
8828                mBackupHandler.removeMessages(MSG_RESTORE_OPERATION_TIMEOUT);
8829
8830                // Verify that the backup set includes metadata.  If not, we can't do
8831                // signature/version verification etc, so we simply do not proceed with
8832                // the restore operation.
8833                if (!mPmAgent.hasMetadata()) {
8834                    Slog.e(TAG, "PM agent has no metadata, so not restoring");
8835                    mMonitor = monitorEvent(mMonitor,
8836                            BackupManagerMonitor.LOG_EVENT_ID_PM_AGENT_HAS_NO_METADATA,
8837                            mCurrentPackage,
8838                            BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY, null);
8839                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
8840                            PACKAGE_MANAGER_SENTINEL,
8841                            "Package manager restore metadata missing");
8842                    mStatus = BackupTransport.TRANSPORT_ERROR;
8843                    mBackupHandler.removeMessages(MSG_BACKUP_RESTORE_STEP, this);
8844                    executeNextState(UnifiedRestoreState.FINAL);
8845                    return;
8846                }
8847
8848                // Success; cache the metadata and continue as expected with the
8849                // next state already enqueued
8850
8851            } catch (Exception e) {
8852                // If we lost the transport at any time, halt
8853                Slog.e(TAG, "Unable to contact transport for restore: " + e.getMessage());
8854                mMonitor = monitorEvent(mMonitor,
8855                        BackupManagerMonitor.LOG_EVENT_ID_LOST_TRANSPORT,
8856                        null,
8857                        BackupManagerMonitor.LOG_EVENT_CATEGORY_TRANSPORT, null);
8858                mStatus = BackupTransport.TRANSPORT_ERROR;
8859                mBackupHandler.removeMessages(MSG_BACKUP_RESTORE_STEP, this);
8860                executeNextState(UnifiedRestoreState.FINAL);
8861                return;
8862            }
8863        }
8864
8865        // state RUNNING_QUEUE : figure out what the next thing to be restored is,
8866        // and fire the appropriate next step
8867        private void dispatchNextRestore() {
8868            UnifiedRestoreState nextState = UnifiedRestoreState.FINAL;
8869            try {
8870                mRestoreDescription = mTransport.nextRestorePackage();
8871                final String pkgName = (mRestoreDescription != null)
8872                        ? mRestoreDescription.getPackageName() : null;
8873                if (pkgName == null) {
8874                    Slog.e(TAG, "Failure getting next package name");
8875                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
8876                    nextState = UnifiedRestoreState.FINAL;
8877                    return;
8878                } else if (mRestoreDescription == RestoreDescription.NO_MORE_PACKAGES) {
8879                    // Yay we've reached the end cleanly
8880                    if (DEBUG) {
8881                        Slog.v(TAG, "No more packages; finishing restore");
8882                    }
8883                    int millis = (int) (SystemClock.elapsedRealtime() - mStartRealtime);
8884                    EventLog.writeEvent(EventLogTags.RESTORE_SUCCESS, mCount, millis);
8885                    nextState = UnifiedRestoreState.FINAL;
8886                    return;
8887                }
8888
8889                if (DEBUG) {
8890                    Slog.i(TAG, "Next restore package: " + mRestoreDescription);
8891                }
8892                sendOnRestorePackage(pkgName);
8893
8894                Metadata metaInfo = mPmAgent.getRestoredMetadata(pkgName);
8895                if (metaInfo == null) {
8896                    Slog.e(TAG, "No metadata for " + pkgName);
8897                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, pkgName,
8898                            "Package metadata missing");
8899                    nextState = UnifiedRestoreState.RUNNING_QUEUE;
8900                    return;
8901                }
8902
8903                try {
8904                    mCurrentPackage = mPackageManager.getPackageInfo(
8905                            pkgName, PackageManager.GET_SIGNATURES);
8906                } catch (NameNotFoundException e) {
8907                    // Whoops, we thought we could restore this package but it
8908                    // turns out not to be present.  Skip it.
8909                    Slog.e(TAG, "Package not present: " + pkgName);
8910                    mMonitor = monitorEvent(mMonitor,
8911                            BackupManagerMonitor.LOG_EVENT_ID_PACKAGE_NOT_PRESENT,
8912                            mCurrentPackage,
8913                            BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
8914                            null);
8915                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, pkgName,
8916                            "Package missing on device");
8917                    nextState = UnifiedRestoreState.RUNNING_QUEUE;
8918                    return;
8919                }
8920
8921                if (metaInfo.versionCode > mCurrentPackage.versionCode) {
8922                    // Data is from a "newer" version of the app than we have currently
8923                    // installed.  If the app has not declared that it is prepared to
8924                    // handle this case, we do not attempt the restore.
8925                    if ((mCurrentPackage.applicationInfo.flags
8926                            & ApplicationInfo.FLAG_RESTORE_ANY_VERSION) == 0) {
8927                        String message = "Source version " + metaInfo.versionCode
8928                                + " > installed version " + mCurrentPackage.versionCode;
8929                        Slog.w(TAG, "Package " + pkgName + ": " + message);
8930                        Bundle monitoringExtras = putMonitoringExtra(null,
8931                                BackupManagerMonitor.EXTRA_LOG_RESTORE_VERSION,
8932                                metaInfo.versionCode);
8933                        monitoringExtras = putMonitoringExtra(monitoringExtras,
8934                                BackupManagerMonitor.EXTRA_LOG_RESTORE_ANYWAY, false);
8935                        mMonitor = monitorEvent(mMonitor,
8936                                BackupManagerMonitor.LOG_EVENT_ID_RESTORE_VERSION_HIGHER,
8937                                mCurrentPackage,
8938                                BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
8939                                monitoringExtras);
8940                        EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
8941                                pkgName, message);
8942                        nextState = UnifiedRestoreState.RUNNING_QUEUE;
8943                        return;
8944                    } else {
8945                        if (DEBUG) Slog.v(TAG, "Source version " + metaInfo.versionCode
8946                                + " > installed version " + mCurrentPackage.versionCode
8947                                + " but restoreAnyVersion");
8948                        Bundle monitoringExtras = putMonitoringExtra(null,
8949                                BackupManagerMonitor.EXTRA_LOG_RESTORE_VERSION,
8950                                metaInfo.versionCode);
8951                        monitoringExtras = putMonitoringExtra(monitoringExtras,
8952                                BackupManagerMonitor.EXTRA_LOG_RESTORE_ANYWAY, true);
8953                        mMonitor = monitorEvent(mMonitor,
8954                                BackupManagerMonitor.LOG_EVENT_ID_RESTORE_VERSION_HIGHER,
8955                                mCurrentPackage,
8956                                BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY,
8957                                monitoringExtras);
8958                    }
8959                }
8960
8961                if (MORE_DEBUG) Slog.v(TAG, "Package " + pkgName
8962                        + " restore version [" + metaInfo.versionCode
8963                        + "] is compatible with installed version ["
8964                        + mCurrentPackage.versionCode + "]");
8965
8966                // Reset per-package preconditions and fire the appropriate next state
8967                mWidgetData = null;
8968                final int type = mRestoreDescription.getDataType();
8969                if (type == RestoreDescription.TYPE_KEY_VALUE) {
8970                    nextState = UnifiedRestoreState.RESTORE_KEYVALUE;
8971                } else if (type == RestoreDescription.TYPE_FULL_STREAM) {
8972                    nextState = UnifiedRestoreState.RESTORE_FULL;
8973                } else {
8974                    // Unknown restore type; ignore this package and move on
8975                    Slog.e(TAG, "Unrecognized restore type " + type);
8976                    nextState = UnifiedRestoreState.RUNNING_QUEUE;
8977                    return;
8978                }
8979            } catch (Exception e) {
8980                Slog.e(TAG, "Can't get next restore target from transport; halting: "
8981                        + e.getMessage());
8982                EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
8983                nextState = UnifiedRestoreState.FINAL;
8984                return;
8985            } finally {
8986                executeNextState(nextState);
8987            }
8988        }
8989
8990        // state RESTORE_KEYVALUE : restore one package via key/value API set
8991        private void restoreKeyValue() {
8992            // Initiating the restore will pass responsibility for the state machine's
8993            // progress to the agent callback, so we do not always execute the
8994            // next state here.
8995            final String packageName = mCurrentPackage.packageName;
8996            // Validate some semantic requirements that apply in this way
8997            // only to the key/value restore API flow
8998            if (mCurrentPackage.applicationInfo.backupAgentName == null
8999                    || "".equals(mCurrentPackage.applicationInfo.backupAgentName)) {
9000                if (MORE_DEBUG) {
9001                    Slog.i(TAG, "Data exists for package " + packageName
9002                            + " but app has no agent; skipping");
9003                }
9004                mMonitor = monitorEvent(mMonitor,
9005                        BackupManagerMonitor.LOG_EVENT_ID_APP_HAS_NO_AGENT, mCurrentPackage,
9006                        BackupManagerMonitor.LOG_EVENT_CATEGORY_AGENT, null);
9007                EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
9008                        "Package has no agent");
9009                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9010                return;
9011            }
9012
9013            Metadata metaInfo = mPmAgent.getRestoredMetadata(packageName);
9014            if (!BackupUtils.signaturesMatch(metaInfo.sigHashes, mCurrentPackage)) {
9015                Slog.w(TAG, "Signature mismatch restoring " + packageName);
9016                mMonitor = monitorEvent(mMonitor,
9017                        BackupManagerMonitor.LOG_EVENT_ID_SIGNATURE_MISMATCH, mCurrentPackage,
9018                        BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY, null);
9019                EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
9020                        "Signature mismatch");
9021                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9022                return;
9023            }
9024
9025            // Good to go!  Set up and bind the agent...
9026            mAgent = bindToAgentSynchronous(
9027                    mCurrentPackage.applicationInfo,
9028                    ApplicationThreadConstants.BACKUP_MODE_INCREMENTAL);
9029            if (mAgent == null) {
9030                Slog.w(TAG, "Can't find backup agent for " + packageName);
9031                mMonitor = monitorEvent(mMonitor,
9032                        BackupManagerMonitor.LOG_EVENT_ID_CANT_FIND_AGENT, mCurrentPackage,
9033                        BackupManagerMonitor.LOG_EVENT_CATEGORY_BACKUP_MANAGER_POLICY, null);
9034                EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
9035                        "Restore agent missing");
9036                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9037                return;
9038            }
9039
9040            // Whatever happens next, we've launched the target app now; remember that.
9041            mDidLaunch = true;
9042
9043            // And then finally start the restore on this agent
9044            try {
9045                initiateOneRestore(mCurrentPackage, metaInfo.versionCode);
9046                ++mCount;
9047            } catch (Exception e) {
9048                Slog.e(TAG, "Error when attempting restore: " + e.toString());
9049                keyValueAgentErrorCleanup();
9050                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9051            }
9052        }
9053
9054        // Guts of a key/value restore operation
9055        void initiateOneRestore(PackageInfo app, int appVersionCode) {
9056            final String packageName = app.packageName;
9057
9058            if (DEBUG) Slog.d(TAG, "initiateOneRestore packageName=" + packageName);
9059
9060            // !!! TODO: get the dirs from the transport
9061            mBackupDataName = new File(mDataDir, packageName + ".restore");
9062            mStageName = new File(mDataDir, packageName + ".stage");
9063            mNewStateName = new File(mStateDir, packageName + ".new");
9064            mSavedStateName = new File(mStateDir, packageName);
9065
9066            // don't stage the 'android' package where the wallpaper data lives.  this is
9067            // an optimization: we know there's no widget data hosted/published by that
9068            // package, and this way we avoid doing a spurious copy of MB-sized wallpaper
9069            // data following the download.
9070            boolean staging = !packageName.equals("android");
9071            ParcelFileDescriptor stage;
9072            File downloadFile = (staging) ? mStageName : mBackupDataName;
9073
9074            try {
9075                // Run the transport's restore pass
9076                stage = ParcelFileDescriptor.open(downloadFile,
9077                        ParcelFileDescriptor.MODE_READ_WRITE |
9078                        ParcelFileDescriptor.MODE_CREATE |
9079                        ParcelFileDescriptor.MODE_TRUNCATE);
9080
9081                if (mTransport.getRestoreData(stage) != BackupTransport.TRANSPORT_OK) {
9082                    // Transport-level failure, so we wind everything up and
9083                    // terminate the restore operation.
9084                    Slog.e(TAG, "Error getting restore data for " + packageName);
9085                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
9086                    stage.close();
9087                    downloadFile.delete();
9088                    executeNextState(UnifiedRestoreState.FINAL);
9089                    return;
9090                }
9091
9092                // We have the data from the transport. Now we extract and strip
9093                // any per-package metadata (typically widget-related information)
9094                // if appropriate
9095                if (staging) {
9096                    stage.close();
9097                    stage = ParcelFileDescriptor.open(downloadFile,
9098                            ParcelFileDescriptor.MODE_READ_ONLY);
9099
9100                    mBackupData = ParcelFileDescriptor.open(mBackupDataName,
9101                            ParcelFileDescriptor.MODE_READ_WRITE |
9102                            ParcelFileDescriptor.MODE_CREATE |
9103                            ParcelFileDescriptor.MODE_TRUNCATE);
9104
9105                    BackupDataInput in = new BackupDataInput(stage.getFileDescriptor());
9106                    BackupDataOutput out = new BackupDataOutput(mBackupData.getFileDescriptor());
9107                    byte[] buffer = new byte[8192]; // will grow when needed
9108                    while (in.readNextHeader()) {
9109                        final String key = in.getKey();
9110                        final int size = in.getDataSize();
9111
9112                        // is this a special key?
9113                        if (key.equals(KEY_WIDGET_STATE)) {
9114                            if (DEBUG) {
9115                                Slog.i(TAG, "Restoring widget state for " + packageName);
9116                            }
9117                            mWidgetData = new byte[size];
9118                            in.readEntityData(mWidgetData, 0, size);
9119                        } else {
9120                            if (size > buffer.length) {
9121                                buffer = new byte[size];
9122                            }
9123                            in.readEntityData(buffer, 0, size);
9124                            out.writeEntityHeader(key, size);
9125                            out.writeEntityData(buffer, size);
9126                        }
9127                    }
9128
9129                    mBackupData.close();
9130                }
9131
9132                // Okay, we have the data.  Now have the agent do the restore.
9133                stage.close();
9134
9135                mBackupData = ParcelFileDescriptor.open(mBackupDataName,
9136                        ParcelFileDescriptor.MODE_READ_ONLY);
9137
9138                mNewState = ParcelFileDescriptor.open(mNewStateName,
9139                        ParcelFileDescriptor.MODE_READ_WRITE |
9140                        ParcelFileDescriptor.MODE_CREATE |
9141                        ParcelFileDescriptor.MODE_TRUNCATE);
9142
9143                // Kick off the restore, checking for hung agents.  The timeout or
9144                // the operationComplete() callback will schedule the next step,
9145                // so we do not do that here.
9146                prepareOperationTimeout(mEphemeralOpToken, TIMEOUT_RESTORE_INTERVAL,
9147                        this, OP_TYPE_RESTORE_WAIT);
9148                mAgent.doRestore(mBackupData, appVersionCode, mNewState,
9149                        mEphemeralOpToken, mBackupManagerBinder);
9150            } catch (Exception e) {
9151                Slog.e(TAG, "Unable to call app for restore: " + packageName, e);
9152                EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
9153                        packageName, e.toString());
9154                keyValueAgentErrorCleanup();    // clears any pending timeout messages as well
9155
9156                // After a restore failure we go back to running the queue.  If there
9157                // are no more packages to be restored that will be handled by the
9158                // next step.
9159                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9160            }
9161        }
9162
9163        // state RESTORE_FULL : restore one package via streaming engine
9164        private void restoreFull() {
9165            // None of this can run on the work looper here, so we spin asynchronous
9166            // work like this:
9167            //
9168            //   StreamFeederThread: read data from mTransport.getNextFullRestoreDataChunk()
9169            //                       write it into the pipe to the engine
9170            //   EngineThread: FullRestoreEngine thread communicating with the target app
9171            //
9172            // When finished, StreamFeederThread executes next state as appropriate on the
9173            // backup looper, and the overall unified restore task resumes
9174            try {
9175                StreamFeederThread feeder = new StreamFeederThread();
9176                if (MORE_DEBUG) {
9177                    Slog.i(TAG, "Spinning threads for stream restore of "
9178                            + mCurrentPackage.packageName);
9179                }
9180                new Thread(feeder, "unified-stream-feeder").start();
9181
9182                // At this point the feeder is responsible for advancing the restore
9183                // state, so we're done here.
9184            } catch (IOException e) {
9185                // Unable to instantiate the feeder thread -- we need to bail on the
9186                // current target.  We haven't asked the transport for data yet, though,
9187                // so we can do that simply by going back to running the restore queue.
9188                Slog.e(TAG, "Unable to construct pipes for stream restore!");
9189                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9190            }
9191        }
9192
9193        // state RESTORE_FINISHED : provide the "no more data" signpost callback at the end
9194        private void restoreFinished() {
9195            if (DEBUG) {
9196                Slog.d(TAG, "restoreFinished packageName=" + mCurrentPackage.packageName);
9197            }
9198            try {
9199                prepareOperationTimeout(mEphemeralOpToken, TIMEOUT_RESTORE_FINISHED_INTERVAL, this,
9200                        OP_TYPE_RESTORE_WAIT);
9201                mAgent.doRestoreFinished(mEphemeralOpToken, mBackupManagerBinder);
9202                // If we get this far, the callback or timeout will schedule the
9203                // next restore state, so we're done
9204            } catch (Exception e) {
9205                final String packageName = mCurrentPackage.packageName;
9206                Slog.e(TAG, "Unable to finalize restore of " + packageName);
9207                EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
9208                        packageName, e.toString());
9209                keyValueAgentErrorCleanup();
9210                executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9211            }
9212        }
9213
9214        class StreamFeederThread extends RestoreEngine implements Runnable, BackupRestoreTask {
9215            final String TAG = "StreamFeederThread";
9216            FullRestoreEngine mEngine;
9217            EngineThread mEngineThread;
9218
9219            // pipe through which we read data from the transport. [0] read, [1] write
9220            ParcelFileDescriptor[] mTransportPipes;
9221
9222            // pipe through which the engine will read data.  [0] read, [1] write
9223            ParcelFileDescriptor[] mEnginePipes;
9224
9225            private final int mEphemeralOpToken;
9226
9227            public StreamFeederThread() throws IOException {
9228                mEphemeralOpToken = generateRandomIntegerToken();
9229                mTransportPipes = ParcelFileDescriptor.createPipe();
9230                mEnginePipes = ParcelFileDescriptor.createPipe();
9231                setRunning(true);
9232            }
9233
9234            @Override
9235            public void run() {
9236                UnifiedRestoreState nextState = UnifiedRestoreState.RUNNING_QUEUE;
9237                int status = BackupTransport.TRANSPORT_OK;
9238
9239                EventLog.writeEvent(EventLogTags.FULL_RESTORE_PACKAGE,
9240                        mCurrentPackage.packageName);
9241
9242                mEngine = new FullRestoreEngine(this, null, mMonitor, mCurrentPackage, false, false, mEphemeralOpToken);
9243                mEngineThread = new EngineThread(mEngine, mEnginePipes[0]);
9244
9245                ParcelFileDescriptor eWriteEnd = mEnginePipes[1];
9246                ParcelFileDescriptor tReadEnd = mTransportPipes[0];
9247                ParcelFileDescriptor tWriteEnd = mTransportPipes[1];
9248
9249                int bufferSize = 32 * 1024;
9250                byte[] buffer = new byte[bufferSize];
9251                FileOutputStream engineOut = new FileOutputStream(eWriteEnd.getFileDescriptor());
9252                FileInputStream transportIn = new FileInputStream(tReadEnd.getFileDescriptor());
9253
9254                // spin up the engine and start moving data to it
9255                new Thread(mEngineThread, "unified-restore-engine").start();
9256
9257                try {
9258                    while (status == BackupTransport.TRANSPORT_OK) {
9259                        // have the transport write some of the restoring data to us
9260                        int result = mTransport.getNextFullRestoreDataChunk(tWriteEnd);
9261                        if (result > 0) {
9262                            // The transport wrote this many bytes of restore data to the
9263                            // pipe, so pass it along to the engine.
9264                            if (MORE_DEBUG) {
9265                                Slog.v(TAG, "  <- transport provided chunk size " + result);
9266                            }
9267                            if (result > bufferSize) {
9268                                bufferSize = result;
9269                                buffer = new byte[bufferSize];
9270                            }
9271                            int toCopy = result;
9272                            while (toCopy > 0) {
9273                                int n = transportIn.read(buffer, 0, toCopy);
9274                                engineOut.write(buffer, 0, n);
9275                                toCopy -= n;
9276                                if (MORE_DEBUG) {
9277                                    Slog.v(TAG, "  -> wrote " + n + " to engine, left=" + toCopy);
9278                                }
9279                            }
9280                        } else if (result == BackupTransport.NO_MORE_DATA) {
9281                            // Clean finish.  Wind up and we're done!
9282                            if (MORE_DEBUG) {
9283                                Slog.i(TAG, "Got clean full-restore EOF for "
9284                                        + mCurrentPackage.packageName);
9285                            }
9286                            status = BackupTransport.TRANSPORT_OK;
9287                            break;
9288                        } else {
9289                            // Transport reported some sort of failure; the fall-through
9290                            // handling will deal properly with that.
9291                            Slog.e(TAG, "Error " + result + " streaming restore for "
9292                                    + mCurrentPackage.packageName);
9293                            EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
9294                            status = result;
9295                        }
9296                    }
9297                    if (MORE_DEBUG) Slog.v(TAG, "Done copying to engine, falling through");
9298                } catch (IOException e) {
9299                    // We lost our ability to communicate via the pipes.  That's worrying
9300                    // but potentially recoverable; abandon this package's restore but
9301                    // carry on with the next restore target.
9302                    Slog.e(TAG, "Unable to route data for restore");
9303                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
9304                            mCurrentPackage.packageName, "I/O error on pipes");
9305                    status = BackupTransport.AGENT_ERROR;
9306                } catch (Exception e) {
9307                    // The transport threw; terminate the whole operation.  Closing
9308                    // the sockets will wake up the engine and it will then tidy up the
9309                    // remote end.
9310                    Slog.e(TAG, "Transport failed during restore: " + e.getMessage());
9311                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
9312                    status = BackupTransport.TRANSPORT_ERROR;
9313                } finally {
9314                    // Close the transport pipes and *our* end of the engine pipe,
9315                    // but leave the engine thread's end open so that it properly
9316                    // hits EOF and winds up its operations.
9317                    IoUtils.closeQuietly(mEnginePipes[1]);
9318                    IoUtils.closeQuietly(mTransportPipes[0]);
9319                    IoUtils.closeQuietly(mTransportPipes[1]);
9320
9321                    // Don't proceed until the engine has wound up operations
9322                    mEngineThread.waitForResult();
9323
9324                    // Now we're really done with this one too
9325                    IoUtils.closeQuietly(mEnginePipes[0]);
9326
9327                    // In all cases we want to remember whether we launched
9328                    // the target app as part of our work so far.
9329                    mDidLaunch = (mEngine.getAgent() != null);
9330
9331                    // If we hit a transport-level error, we are done with everything;
9332                    // if we hit an agent error we just go back to running the queue.
9333                    if (status == BackupTransport.TRANSPORT_OK) {
9334                        // Clean finish means we issue the restore-finished callback
9335                        nextState = UnifiedRestoreState.RESTORE_FINISHED;
9336
9337                        // the engine bound the target's agent, so recover that binding
9338                        // to use for the callback.
9339                        mAgent = mEngine.getAgent();
9340
9341                        // and the restored widget data, if any
9342                        mWidgetData = mEngine.getWidgetData();
9343                    } else {
9344                        // Something went wrong somewhere.  Whether it was at the transport
9345                        // level is immaterial; we need to tell the transport to bail
9346                        try {
9347                            mTransport.abortFullRestore();
9348                        } catch (Exception e) {
9349                            // transport itself is dead; make sure we handle this as a
9350                            // fatal error
9351                            Slog.e(TAG, "Transport threw from abortFullRestore: " + e.getMessage());
9352                            status = BackupTransport.TRANSPORT_ERROR;
9353                        }
9354
9355                        // We also need to wipe the current target's data, as it's probably
9356                        // in an incoherent state.
9357                        clearApplicationDataSynchronous(mCurrentPackage.packageName);
9358
9359                        // Schedule the next state based on the nature of our failure
9360                        if (status == BackupTransport.TRANSPORT_ERROR) {
9361                            nextState = UnifiedRestoreState.FINAL;
9362                        } else {
9363                            nextState = UnifiedRestoreState.RUNNING_QUEUE;
9364                        }
9365                    }
9366                    executeNextState(nextState);
9367                    setRunning(false);
9368                }
9369            }
9370
9371            // BackupRestoreTask interface, specifically for timeout handling
9372
9373            @Override
9374            public void execute() { /* intentionally empty */ }
9375
9376            @Override
9377            public void operationComplete(long result) { /* intentionally empty */ }
9378
9379            // The app has timed out handling a restoring file
9380            @Override
9381            public void handleCancel(boolean cancelAll) {
9382                removeOperation(mEphemeralOpToken);
9383                if (DEBUG) {
9384                    Slog.w(TAG, "Full-data restore target timed out; shutting down");
9385                }
9386
9387                mMonitor = monitorEvent(mMonitor,
9388                        BackupManagerMonitor.LOG_EVENT_ID_FULL_RESTORE_TIMEOUT,
9389                        mCurrentPackage, BackupManagerMonitor.LOG_EVENT_CATEGORY_AGENT, null);
9390                mEngineThread.handleTimeout();
9391
9392                IoUtils.closeQuietly(mEnginePipes[1]);
9393                mEnginePipes[1] = null;
9394                IoUtils.closeQuietly(mEnginePipes[0]);
9395                mEnginePipes[0] = null;
9396            }
9397        }
9398
9399        class EngineThread implements Runnable {
9400            FullRestoreEngine mEngine;
9401            FileInputStream mEngineStream;
9402
9403            EngineThread(FullRestoreEngine engine, ParcelFileDescriptor engineSocket) {
9404                mEngine = engine;
9405                engine.setRunning(true);
9406                // We *do* want this FileInputStream to own the underlying fd, so that
9407                // when we are finished with it, it closes this end of the pipe in a way
9408                // that signals its other end.
9409                mEngineStream = new FileInputStream(engineSocket.getFileDescriptor(), true);
9410            }
9411
9412            public boolean isRunning() {
9413                return mEngine.isRunning();
9414            }
9415
9416            public int waitForResult() {
9417                return mEngine.waitForResult();
9418            }
9419
9420            @Override
9421            public void run() {
9422                try {
9423                    while (mEngine.isRunning()) {
9424                        // Tell it to be sure to leave the agent instance up after finishing
9425                        mEngine.restoreOneFile(mEngineStream, false);
9426                    }
9427                } finally {
9428                    // Because mEngineStream adopted its underlying FD, this also
9429                    // closes this end of the pipe.
9430                    IoUtils.closeQuietly(mEngineStream);
9431                }
9432            }
9433
9434            public void handleTimeout() {
9435                IoUtils.closeQuietly(mEngineStream);
9436                mEngine.handleTimeout();
9437            }
9438        }
9439
9440        // state FINAL : tear everything down and we're done.
9441        private void finalizeRestore() {
9442            if (MORE_DEBUG) Slog.d(TAG, "finishing restore mObserver=" + mObserver);
9443
9444            try {
9445                mTransport.finishRestore();
9446            } catch (Exception e) {
9447                Slog.e(TAG, "Error finishing restore", e);
9448            }
9449
9450            // Tell the observer we're done
9451            if (mObserver != null) {
9452                try {
9453                    mObserver.restoreFinished(mStatus);
9454                } catch (RemoteException e) {
9455                    Slog.d(TAG, "Restore observer died at restoreFinished");
9456                }
9457            }
9458
9459            // Clear any ongoing session timeout.
9460            mBackupHandler.removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
9461
9462            // If we have a PM token, we must under all circumstances be sure to
9463            // handshake when we've finished.
9464            if (mPmToken > 0) {
9465                if (MORE_DEBUG) Slog.v(TAG, "finishing PM token " + mPmToken);
9466                try {
9467                    mPackageManagerBinder.finishPackageInstall(mPmToken, mDidLaunch);
9468                } catch (RemoteException e) { /* can't happen */ }
9469            } else {
9470                // We were invoked via an active restore session, not by the Package
9471                // Manager, so start up the session timeout again.
9472                mBackupHandler.sendEmptyMessageDelayed(MSG_RESTORE_SESSION_TIMEOUT,
9473                        TIMEOUT_RESTORE_INTERVAL);
9474            }
9475
9476            // Kick off any work that may be needed regarding app widget restores
9477            // TODO: http://b/22388012
9478            AppWidgetBackupBridge.restoreFinished(UserHandle.USER_SYSTEM);
9479
9480            // If this was a full-system restore, record the ancestral
9481            // dataset information
9482            if (mIsSystemRestore && mPmAgent != null) {
9483                mAncestralPackages = mPmAgent.getRestoredPackages();
9484                mAncestralToken = mToken;
9485                writeRestoreTokens();
9486            }
9487
9488            // done; we can finally release the wakelock and be legitimately done.
9489            Slog.i(TAG, "Restore complete.");
9490
9491            synchronized (mPendingRestores) {
9492                if (mPendingRestores.size() > 0) {
9493                    if (DEBUG) {
9494                        Slog.d(TAG, "Starting next pending restore.");
9495                    }
9496                    PerformUnifiedRestoreTask task = mPendingRestores.remove();
9497                    mBackupHandler.sendMessage(
9498                            mBackupHandler.obtainMessage(MSG_BACKUP_RESTORE_STEP, task));
9499
9500                } else {
9501                    mIsRestoreInProgress = false;
9502                    if (MORE_DEBUG) {
9503                        Slog.d(TAG, "No pending restores.");
9504                    }
9505                }
9506            }
9507
9508            mWakelock.release();
9509        }
9510
9511        void keyValueAgentErrorCleanup() {
9512            // If the agent fails restore, it might have put the app's data
9513            // into an incoherent state.  For consistency we wipe its data
9514            // again in this case before continuing with normal teardown
9515            clearApplicationDataSynchronous(mCurrentPackage.packageName);
9516            keyValueAgentCleanup();
9517        }
9518
9519        // TODO: clean up naming; this is now used at finish by both k/v and stream restores
9520        void keyValueAgentCleanup() {
9521            mBackupDataName.delete();
9522            mStageName.delete();
9523            try { if (mBackupData != null) mBackupData.close(); } catch (IOException e) {}
9524            try { if (mNewState != null) mNewState.close(); } catch (IOException e) {}
9525            mBackupData = mNewState = null;
9526
9527            // if everything went okay, remember the recorded state now
9528            //
9529            // !!! TODO: the restored data could be migrated on the server
9530            // side into the current dataset.  In that case the new state file
9531            // we just created would reflect the data already extant in the
9532            // backend, so there'd be nothing more to do.  Until that happens,
9533            // however, we need to make sure that we record the data to the
9534            // current backend dataset.  (Yes, this means shipping the data over
9535            // the wire in both directions.  That's bad, but consistency comes
9536            // first, then efficiency.)  Once we introduce server-side data
9537            // migration to the newly-restored device's dataset, we will change
9538            // the following from a discard of the newly-written state to the
9539            // "correct" operation of renaming into the canonical state blob.
9540            mNewStateName.delete();                      // TODO: remove; see above comment
9541            //mNewStateName.renameTo(mSavedStateName);   // TODO: replace with this
9542
9543            // If this wasn't the PM pseudopackage, tear down the agent side
9544            if (mCurrentPackage.applicationInfo != null) {
9545                // unbind and tidy up even on timeout or failure
9546                try {
9547                    mActivityManager.unbindBackupAgent(mCurrentPackage.applicationInfo);
9548
9549                    // The agent was probably running with a stub Application object,
9550                    // which isn't a valid run mode for the main app logic.  Shut
9551                    // down the app so that next time it's launched, it gets the
9552                    // usual full initialization.  Note that this is only done for
9553                    // full-system restores: when a single app has requested a restore,
9554                    // it is explicitly not killed following that operation.
9555                    //
9556                    // We execute this kill when these conditions hold:
9557                    //    1. it's not a system-uid process,
9558                    //    2. the app did not request its own restore (mTargetPackage == null), and either
9559                    //    3a. the app is a full-data target (TYPE_FULL_STREAM) or
9560                    //     b. the app does not state android:killAfterRestore="false" in its manifest
9561                    final int appFlags = mCurrentPackage.applicationInfo.flags;
9562                    final boolean killAfterRestore =
9563                            (mCurrentPackage.applicationInfo.uid >= Process.FIRST_APPLICATION_UID)
9564                            && ((mRestoreDescription.getDataType() == RestoreDescription.TYPE_FULL_STREAM)
9565                                    || ((appFlags & ApplicationInfo.FLAG_KILL_AFTER_RESTORE) != 0));
9566
9567                    if (mTargetPackage == null && killAfterRestore) {
9568                        if (DEBUG) Slog.d(TAG, "Restore complete, killing host process of "
9569                                + mCurrentPackage.applicationInfo.processName);
9570                        mActivityManager.killApplicationProcess(
9571                                mCurrentPackage.applicationInfo.processName,
9572                                mCurrentPackage.applicationInfo.uid);
9573                    }
9574                } catch (RemoteException e) {
9575                    // can't happen; we run in the same process as the activity manager
9576                }
9577            }
9578
9579            // The caller is responsible for reestablishing the state machine; our
9580            // responsibility here is to clear the decks for whatever comes next.
9581            mBackupHandler.removeMessages(MSG_RESTORE_OPERATION_TIMEOUT, this);
9582        }
9583
9584        @Override
9585        public void operationComplete(long unusedResult) {
9586            removeOperation(mEphemeralOpToken);
9587            if (MORE_DEBUG) {
9588                Slog.i(TAG, "operationComplete() during restore: target="
9589                        + mCurrentPackage.packageName
9590                        + " state=" + mState);
9591            }
9592
9593            final UnifiedRestoreState nextState;
9594            switch (mState) {
9595                case INITIAL:
9596                    // We've just (manually) restored the PMBA.  It doesn't need the
9597                    // additional restore-finished callback so we bypass that and go
9598                    // directly to running the queue.
9599                    nextState = UnifiedRestoreState.RUNNING_QUEUE;
9600                    break;
9601
9602                case RESTORE_KEYVALUE:
9603                case RESTORE_FULL: {
9604                    // Okay, we've just heard back from the agent that it's done with
9605                    // the restore itself.  We now have to send the same agent its
9606                    // doRestoreFinished() callback, so roll into that state.
9607                    nextState = UnifiedRestoreState.RESTORE_FINISHED;
9608                    break;
9609                }
9610
9611                case RESTORE_FINISHED: {
9612                    // Okay, we're done with this package.  Tidy up and go on to the next
9613                    // app in the queue.
9614                    int size = (int) mBackupDataName.length();
9615                    EventLog.writeEvent(EventLogTags.RESTORE_PACKAGE,
9616                            mCurrentPackage.packageName, size);
9617
9618                    // Just go back to running the restore queue
9619                    keyValueAgentCleanup();
9620
9621                    // If there was widget state associated with this app, get the OS to
9622                    // incorporate it into current bookeeping and then pass that along to
9623                    // the app as part of the restore-time work.
9624                    if (mWidgetData != null) {
9625                        restoreWidgetData(mCurrentPackage.packageName, mWidgetData);
9626                    }
9627
9628                    nextState = UnifiedRestoreState.RUNNING_QUEUE;
9629                    break;
9630                }
9631
9632                default: {
9633                    // Some kind of horrible semantic error; we're in an unexpected state.
9634                    // Back off hard and wind up.
9635                    Slog.e(TAG, "Unexpected restore callback into state " + mState);
9636                    keyValueAgentErrorCleanup();
9637                    nextState = UnifiedRestoreState.FINAL;
9638                    break;
9639                }
9640            }
9641
9642            executeNextState(nextState);
9643        }
9644
9645        // A call to agent.doRestore() or agent.doRestoreFinished() has timed out
9646        @Override
9647        public void handleCancel(boolean cancelAll) {
9648            removeOperation(mEphemeralOpToken);
9649            Slog.e(TAG, "Timeout restoring application " + mCurrentPackage.packageName);
9650            mMonitor = monitorEvent(mMonitor,
9651                    BackupManagerMonitor.LOG_EVENT_ID_KEY_VALUE_RESTORE_TIMEOUT,
9652                    mCurrentPackage, BackupManagerMonitor.LOG_EVENT_CATEGORY_AGENT, null);
9653            EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
9654                    mCurrentPackage.packageName, "restore timeout");
9655            // Handle like an agent that threw on invocation: wipe it and go on to the next
9656            keyValueAgentErrorCleanup();
9657            executeNextState(UnifiedRestoreState.RUNNING_QUEUE);
9658        }
9659
9660        void executeNextState(UnifiedRestoreState nextState) {
9661            if (MORE_DEBUG) Slog.i(TAG, " => executing next step on "
9662                    + this + " nextState=" + nextState);
9663            mState = nextState;
9664            Message msg = mBackupHandler.obtainMessage(MSG_BACKUP_RESTORE_STEP, this);
9665            mBackupHandler.sendMessage(msg);
9666        }
9667
9668        // restore observer support
9669        void sendStartRestore(int numPackages) {
9670            if (mObserver != null) {
9671                try {
9672                    mObserver.restoreStarting(numPackages);
9673                } catch (RemoteException e) {
9674                    Slog.w(TAG, "Restore observer went away: startRestore");
9675                    mObserver = null;
9676                }
9677            }
9678        }
9679
9680        void sendOnRestorePackage(String name) {
9681            if (mObserver != null) {
9682                if (mObserver != null) {
9683                    try {
9684                        mObserver.onUpdate(mCount, name);
9685                    } catch (RemoteException e) {
9686                        Slog.d(TAG, "Restore observer died in onUpdate");
9687                        mObserver = null;
9688                    }
9689                }
9690            }
9691        }
9692
9693        void sendEndRestore() {
9694            if (mObserver != null) {
9695                try {
9696                    mObserver.restoreFinished(mStatus);
9697                } catch (RemoteException e) {
9698                    Slog.w(TAG, "Restore observer went away: endRestore");
9699                    mObserver = null;
9700                }
9701            }
9702        }
9703    }
9704
9705    class PerformClearTask implements Runnable {
9706        IBackupTransport mTransport;
9707        PackageInfo mPackage;
9708
9709        PerformClearTask(IBackupTransport transport, PackageInfo packageInfo) {
9710            mTransport = transport;
9711            mPackage = packageInfo;
9712        }
9713
9714        public void run() {
9715            try {
9716                // Clear the on-device backup state to ensure a full backup next time
9717                File stateDir = new File(mBaseStateDir, mTransport.transportDirName());
9718                File stateFile = new File(stateDir, mPackage.packageName);
9719                stateFile.delete();
9720
9721                // Tell the transport to remove all the persistent storage for the app
9722                // TODO - need to handle failures
9723                mTransport.clearBackupData(mPackage);
9724            } catch (Exception e) {
9725                Slog.e(TAG, "Transport threw clearing data for " + mPackage + ": " + e.getMessage());
9726            } finally {
9727                try {
9728                    // TODO - need to handle failures
9729                    mTransport.finishBackup();
9730                } catch (Exception e) {
9731                    // Nothing we can do here, alas
9732                    Slog.e(TAG, "Unable to mark clear operation finished: " + e.getMessage());
9733                }
9734
9735                // Last but not least, release the cpu
9736                mWakelock.release();
9737            }
9738        }
9739    }
9740
9741    class PerformInitializeTask implements Runnable {
9742        HashSet<String> mQueue;
9743
9744        PerformInitializeTask(HashSet<String> transportNames) {
9745            mQueue = transportNames;
9746        }
9747
9748        public void run() {
9749            try {
9750                for (String transportName : mQueue) {
9751                    IBackupTransport transport =
9752                            mTransportManager.getTransportBinder(transportName);
9753                    if (transport == null) {
9754                        Slog.e(TAG, "Requested init for " + transportName + " but not found");
9755                        continue;
9756                    }
9757
9758                    Slog.i(TAG, "Initializing (wiping) backup transport storage: " + transportName);
9759                    EventLog.writeEvent(EventLogTags.BACKUP_START, transport.transportDirName());
9760                    long startRealtime = SystemClock.elapsedRealtime();
9761                    int status = transport.initializeDevice();
9762
9763                    if (status == BackupTransport.TRANSPORT_OK) {
9764                        status = transport.finishBackup();
9765                    }
9766
9767                    // Okay, the wipe really happened.  Clean up our local bookkeeping.
9768                    if (status == BackupTransport.TRANSPORT_OK) {
9769                        Slog.i(TAG, "Device init successful");
9770                        int millis = (int) (SystemClock.elapsedRealtime() - startRealtime);
9771                        EventLog.writeEvent(EventLogTags.BACKUP_INITIALIZE);
9772                        resetBackupState(new File(mBaseStateDir, transport.transportDirName()));
9773                        EventLog.writeEvent(EventLogTags.BACKUP_SUCCESS, 0, millis);
9774                        synchronized (mQueueLock) {
9775                            recordInitPendingLocked(false, transportName);
9776                        }
9777                    } else {
9778                        // If this didn't work, requeue this one and try again
9779                        // after a suitable interval
9780                        Slog.e(TAG, "Transport error in initializeDevice()");
9781                        EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(initialize)");
9782                        synchronized (mQueueLock) {
9783                            recordInitPendingLocked(true, transportName);
9784                        }
9785                        // do this via another alarm to make sure of the wakelock states
9786                        long delay = transport.requestBackupTime();
9787                        Slog.w(TAG, "Init failed on " + transportName + " resched in " + delay);
9788                        mAlarmManager.set(AlarmManager.RTC_WAKEUP,
9789                                System.currentTimeMillis() + delay, mRunInitIntent);
9790                    }
9791                }
9792            } catch (Exception e) {
9793                Slog.e(TAG, "Unexpected error performing init", e);
9794            } finally {
9795                // Done; release the wakelock
9796                mWakelock.release();
9797            }
9798        }
9799    }
9800
9801    private void dataChangedImpl(String packageName) {
9802        HashSet<String> targets = dataChangedTargets(packageName);
9803        dataChangedImpl(packageName, targets);
9804    }
9805
9806    private void dataChangedImpl(String packageName, HashSet<String> targets) {
9807        // Record that we need a backup pass for the caller.  Since multiple callers
9808        // may share a uid, we need to note all candidates within that uid and schedule
9809        // a backup pass for each of them.
9810        if (targets == null) {
9811            Slog.w(TAG, "dataChanged but no participant pkg='" + packageName + "'"
9812                   + " uid=" + Binder.getCallingUid());
9813            return;
9814        }
9815
9816        synchronized (mQueueLock) {
9817            // Note that this client has made data changes that need to be backed up
9818            if (targets.contains(packageName)) {
9819                // Add the caller to the set of pending backups.  If there is
9820                // one already there, then overwrite it, but no harm done.
9821                BackupRequest req = new BackupRequest(packageName);
9822                if (mPendingBackups.put(packageName, req) == null) {
9823                    if (MORE_DEBUG) Slog.d(TAG, "Now staging backup of " + packageName);
9824
9825                    // Journal this request in case of crash.  The put()
9826                    // operation returned null when this package was not already
9827                    // in the set; we want to avoid touching the disk redundantly.
9828                    writeToJournalLocked(packageName);
9829                }
9830            }
9831        }
9832
9833        // ...and schedule a backup pass if necessary
9834        KeyValueBackupJob.schedule(mContext);
9835    }
9836
9837    // Note: packageName is currently unused, but may be in the future
9838    private HashSet<String> dataChangedTargets(String packageName) {
9839        // If the caller does not hold the BACKUP permission, it can only request a
9840        // backup of its own data.
9841        if ((mContext.checkPermission(android.Manifest.permission.BACKUP, Binder.getCallingPid(),
9842                Binder.getCallingUid())) == PackageManager.PERMISSION_DENIED) {
9843            synchronized (mBackupParticipants) {
9844                return mBackupParticipants.get(Binder.getCallingUid());
9845            }
9846        }
9847
9848        // a caller with full permission can ask to back up any participating app
9849        HashSet<String> targets = new HashSet<String>();
9850        if (PACKAGE_MANAGER_SENTINEL.equals(packageName)) {
9851            targets.add(PACKAGE_MANAGER_SENTINEL);
9852        } else {
9853            synchronized (mBackupParticipants) {
9854                int N = mBackupParticipants.size();
9855                for (int i = 0; i < N; i++) {
9856                    HashSet<String> s = mBackupParticipants.valueAt(i);
9857                    if (s != null) {
9858                        targets.addAll(s);
9859                    }
9860                }
9861            }
9862        }
9863        return targets;
9864    }
9865
9866    private void writeToJournalLocked(String str) {
9867        RandomAccessFile out = null;
9868        try {
9869            if (mJournal == null) mJournal = File.createTempFile("journal", null, mJournalDir);
9870            out = new RandomAccessFile(mJournal, "rws");
9871            out.seek(out.length());
9872            out.writeUTF(str);
9873        } catch (IOException e) {
9874            Slog.e(TAG, "Can't write " + str + " to backup journal", e);
9875            mJournal = null;
9876        } finally {
9877            try { if (out != null) out.close(); } catch (IOException e) {}
9878        }
9879    }
9880
9881    // ----- IBackupManager binder interface -----
9882
9883    @Override
9884    public void dataChanged(final String packageName) {
9885        final int callingUserHandle = UserHandle.getCallingUserId();
9886        if (callingUserHandle != UserHandle.USER_SYSTEM) {
9887            // TODO: http://b/22388012
9888            // App is running under a non-owner user profile.  For now, we do not back
9889            // up data from secondary user profiles.
9890            // TODO: backups for all user profiles although don't add backup for profiles
9891            // without adding admin control in DevicePolicyManager.
9892            if (MORE_DEBUG) {
9893                Slog.v(TAG, "dataChanged(" + packageName + ") ignored because it's user "
9894                        + callingUserHandle);
9895            }
9896            return;
9897        }
9898
9899        final HashSet<String> targets = dataChangedTargets(packageName);
9900        if (targets == null) {
9901            Slog.w(TAG, "dataChanged but no participant pkg='" + packageName + "'"
9902                   + " uid=" + Binder.getCallingUid());
9903            return;
9904        }
9905
9906        mBackupHandler.post(new Runnable() {
9907                public void run() {
9908                    dataChangedImpl(packageName, targets);
9909                }
9910            });
9911    }
9912
9913    // Clear the given package's backup data from the current transport
9914    @Override
9915    public void clearBackupData(String transportName, String packageName) {
9916        if (DEBUG) Slog.v(TAG, "clearBackupData() of " + packageName + " on " + transportName);
9917        PackageInfo info;
9918        try {
9919            info = mPackageManager.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
9920        } catch (NameNotFoundException e) {
9921            Slog.d(TAG, "No such package '" + packageName + "' - not clearing backup data");
9922            return;
9923        }
9924
9925        // If the caller does not hold the BACKUP permission, it can only request a
9926        // wipe of its own backed-up data.
9927        HashSet<String> apps;
9928        if ((mContext.checkPermission(android.Manifest.permission.BACKUP, Binder.getCallingPid(),
9929                Binder.getCallingUid())) == PackageManager.PERMISSION_DENIED) {
9930            apps = mBackupParticipants.get(Binder.getCallingUid());
9931        } else {
9932            // a caller with full permission can ask to back up any participating app
9933            // !!! TODO: allow data-clear of ANY app?
9934            if (MORE_DEBUG) Slog.v(TAG, "Privileged caller, allowing clear of other apps");
9935            apps = new HashSet<String>();
9936            int N = mBackupParticipants.size();
9937            for (int i = 0; i < N; i++) {
9938                HashSet<String> s = mBackupParticipants.valueAt(i);
9939                if (s != null) {
9940                    apps.addAll(s);
9941                }
9942            }
9943        }
9944
9945        // Is the given app an available participant?
9946        if (apps.contains(packageName)) {
9947            // found it; fire off the clear request
9948            if (MORE_DEBUG) Slog.v(TAG, "Found the app - running clear process");
9949            mBackupHandler.removeMessages(MSG_RETRY_CLEAR);
9950            synchronized (mQueueLock) {
9951                final IBackupTransport transport =
9952                        mTransportManager.getTransportBinder(transportName);
9953                if (transport == null) {
9954                    // transport is currently unavailable -- make sure to retry
9955                    Message msg = mBackupHandler.obtainMessage(MSG_RETRY_CLEAR,
9956                            new ClearRetryParams(transportName, packageName));
9957                    mBackupHandler.sendMessageDelayed(msg, TRANSPORT_RETRY_INTERVAL);
9958                    return;
9959                }
9960                long oldId = Binder.clearCallingIdentity();
9961                mWakelock.acquire();
9962                Message msg = mBackupHandler.obtainMessage(MSG_RUN_CLEAR,
9963                        new ClearParams(transport, info));
9964                mBackupHandler.sendMessage(msg);
9965                Binder.restoreCallingIdentity(oldId);
9966            }
9967        }
9968    }
9969
9970    // Run a backup pass immediately for any applications that have declared
9971    // that they have pending updates.
9972    @Override
9973    public void backupNow() {
9974        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "backupNow");
9975
9976        final PowerSaveState result =
9977                mPowerManager.getPowerSaveState(ServiceType.KEYVALUE_BACKUP);
9978        if (result.batterySaverEnabled) {
9979            if (DEBUG) Slog.v(TAG, "Not running backup while in battery save mode");
9980            KeyValueBackupJob.schedule(mContext);   // try again in several hours
9981        } else {
9982            if (DEBUG) Slog.v(TAG, "Scheduling immediate backup pass");
9983            synchronized (mQueueLock) {
9984                // Fire the intent that kicks off the whole shebang...
9985                try {
9986                    mRunBackupIntent.send();
9987                } catch (PendingIntent.CanceledException e) {
9988                    // should never happen
9989                    Slog.e(TAG, "run-backup intent cancelled!");
9990                }
9991
9992                // ...and cancel any pending scheduled job, because we've just superseded it
9993                KeyValueBackupJob.cancel(mContext);
9994            }
9995        }
9996    }
9997
9998    boolean deviceIsProvisioned() {
9999        final ContentResolver resolver = mContext.getContentResolver();
10000        return (Settings.Global.getInt(resolver, Settings.Global.DEVICE_PROVISIONED, 0) != 0);
10001    }
10002
10003    // Run a backup pass for the given packages, writing the resulting data stream
10004    // to the supplied file descriptor.  This method is synchronous and does not return
10005    // to the caller until the backup has been completed.
10006    //
10007    // This is the variant used by 'adb backup'; it requires on-screen confirmation
10008    // by the user because it can be used to offload data over untrusted USB.
10009    @Override
10010    public void adbBackup(ParcelFileDescriptor fd, boolean includeApks, boolean includeObbs,
10011            boolean includeShared, boolean doWidgets, boolean doAllApps, boolean includeSystem,
10012            boolean compress, boolean doKeyValue, String[] pkgList) {
10013        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "adbBackup");
10014
10015        final int callingUserHandle = UserHandle.getCallingUserId();
10016        // TODO: http://b/22388012
10017        if (callingUserHandle != UserHandle.USER_SYSTEM) {
10018            throw new IllegalStateException("Backup supported only for the device owner");
10019        }
10020
10021        // Validate
10022        if (!doAllApps) {
10023            if (!includeShared) {
10024                // If we're backing up shared data (sdcard or equivalent), then we can run
10025                // without any supplied app names.  Otherwise, we'd be doing no work, so
10026                // report the error.
10027                if (pkgList == null || pkgList.length == 0) {
10028                    throw new IllegalArgumentException(
10029                            "Backup requested but neither shared nor any apps named");
10030                }
10031            }
10032        }
10033
10034        long oldId = Binder.clearCallingIdentity();
10035        try {
10036            // Doesn't make sense to do a full backup prior to setup
10037            if (!deviceIsProvisioned()) {
10038                Slog.i(TAG, "Backup not supported before setup");
10039                return;
10040            }
10041
10042            if (DEBUG) Slog.v(TAG, "Requesting backup: apks=" + includeApks + " obb=" + includeObbs
10043                    + " shared=" + includeShared + " all=" + doAllApps + " system="
10044                    + includeSystem + " includekeyvalue=" + doKeyValue + " pkgs=" + pkgList);
10045            Slog.i(TAG, "Beginning adb backup...");
10046
10047            AdbBackupParams params = new AdbBackupParams(fd, includeApks, includeObbs,
10048                    includeShared, doWidgets, doAllApps, includeSystem, compress, doKeyValue,
10049                    pkgList);
10050            final int token = generateRandomIntegerToken();
10051            synchronized (mAdbBackupRestoreConfirmations) {
10052                mAdbBackupRestoreConfirmations.put(token, params);
10053            }
10054
10055            // start up the confirmation UI
10056            if (DEBUG) Slog.d(TAG, "Starting backup confirmation UI, token=" + token);
10057            if (!startConfirmationUi(token, FullBackup.FULL_BACKUP_INTENT_ACTION)) {
10058                Slog.e(TAG, "Unable to launch backup confirmation UI");
10059                mAdbBackupRestoreConfirmations.delete(token);
10060                return;
10061            }
10062
10063            // make sure the screen is lit for the user interaction
10064            mPowerManager.userActivity(SystemClock.uptimeMillis(),
10065                    PowerManager.USER_ACTIVITY_EVENT_OTHER,
10066                    0);
10067
10068            // start the confirmation countdown
10069            startConfirmationTimeout(token, params);
10070
10071            // wait for the backup to be performed
10072            if (DEBUG) Slog.d(TAG, "Waiting for backup completion...");
10073            waitForCompletion(params);
10074        } finally {
10075            try {
10076                fd.close();
10077            } catch (IOException e) {
10078                // just eat it
10079            }
10080            Binder.restoreCallingIdentity(oldId);
10081            Slog.d(TAG, "Adb backup processing complete.");
10082        }
10083    }
10084
10085    @Override
10086    public void fullTransportBackup(String[] pkgNames) {
10087        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP,
10088                "fullTransportBackup");
10089
10090        final int callingUserHandle = UserHandle.getCallingUserId();
10091        // TODO: http://b/22388012
10092        if (callingUserHandle != UserHandle.USER_SYSTEM) {
10093            throw new IllegalStateException("Restore supported only for the device owner");
10094        }
10095
10096        if (!fullBackupAllowable(mTransportManager.getCurrentTransportBinder())) {
10097            Slog.i(TAG, "Full backup not currently possible -- key/value backup not yet run?");
10098        } else {
10099            if (DEBUG) {
10100                Slog.d(TAG, "fullTransportBackup()");
10101            }
10102
10103            final long oldId = Binder.clearCallingIdentity();
10104            try {
10105                CountDownLatch latch = new CountDownLatch(1);
10106                PerformFullTransportBackupTask task = new PerformFullTransportBackupTask(null,
10107                        pkgNames, false, null, latch, null, null, false /* userInitiated */);
10108                // Acquiring wakelock for PerformFullTransportBackupTask before its start.
10109                mWakelock.acquire();
10110                (new Thread(task, "full-transport-master")).start();
10111                do {
10112                    try {
10113                        latch.await();
10114                        break;
10115                    } catch (InterruptedException e) {
10116                        // Just go back to waiting for the latch to indicate completion
10117                    }
10118                } while (true);
10119
10120                // We just ran a backup on these packages, so kick them to the end of the queue
10121                final long now = System.currentTimeMillis();
10122                for (String pkg : pkgNames) {
10123                    enqueueFullBackup(pkg, now);
10124                }
10125            } finally {
10126                Binder.restoreCallingIdentity(oldId);
10127            }
10128        }
10129
10130        if (DEBUG) {
10131            Slog.d(TAG, "Done with full transport backup.");
10132        }
10133    }
10134
10135    @Override
10136    public void adbRestore(ParcelFileDescriptor fd) {
10137        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "adbRestore");
10138
10139        final int callingUserHandle = UserHandle.getCallingUserId();
10140        // TODO: http://b/22388012
10141        if (callingUserHandle != UserHandle.USER_SYSTEM) {
10142            throw new IllegalStateException("Restore supported only for the device owner");
10143        }
10144
10145        long oldId = Binder.clearCallingIdentity();
10146
10147        try {
10148            // Check whether the device has been provisioned -- we don't handle
10149            // full restores prior to completing the setup process.
10150            if (!deviceIsProvisioned()) {
10151                Slog.i(TAG, "Full restore not permitted before setup");
10152                return;
10153            }
10154
10155            Slog.i(TAG, "Beginning restore...");
10156
10157            AdbRestoreParams params = new AdbRestoreParams(fd);
10158            final int token = generateRandomIntegerToken();
10159            synchronized (mAdbBackupRestoreConfirmations) {
10160                mAdbBackupRestoreConfirmations.put(token, params);
10161            }
10162
10163            // start up the confirmation UI
10164            if (DEBUG) Slog.d(TAG, "Starting restore confirmation UI, token=" + token);
10165            if (!startConfirmationUi(token, FullBackup.FULL_RESTORE_INTENT_ACTION)) {
10166                Slog.e(TAG, "Unable to launch restore confirmation");
10167                mAdbBackupRestoreConfirmations.delete(token);
10168                return;
10169            }
10170
10171            // make sure the screen is lit for the user interaction
10172            mPowerManager.userActivity(SystemClock.uptimeMillis(),
10173                    PowerManager.USER_ACTIVITY_EVENT_OTHER,
10174                    0);
10175
10176            // start the confirmation countdown
10177            startConfirmationTimeout(token, params);
10178
10179            // wait for the restore to be performed
10180            if (DEBUG) Slog.d(TAG, "Waiting for restore completion...");
10181            waitForCompletion(params);
10182        } finally {
10183            try {
10184                fd.close();
10185            } catch (IOException e) {
10186                Slog.w(TAG, "Error trying to close fd after adb restore: " + e);
10187            }
10188            Binder.restoreCallingIdentity(oldId);
10189            Slog.i(TAG, "adb restore processing complete.");
10190        }
10191    }
10192
10193    boolean startConfirmationUi(int token, String action) {
10194        try {
10195            Intent confIntent = new Intent(action);
10196            confIntent.setClassName("com.android.backupconfirm",
10197                    "com.android.backupconfirm.BackupRestoreConfirmation");
10198            confIntent.putExtra(FullBackup.CONF_TOKEN_INTENT_EXTRA, token);
10199            confIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
10200            mContext.startActivityAsUser(confIntent, UserHandle.SYSTEM);
10201        } catch (ActivityNotFoundException e) {
10202            return false;
10203        }
10204        return true;
10205    }
10206
10207    void startConfirmationTimeout(int token, AdbParams params) {
10208        if (MORE_DEBUG) Slog.d(TAG, "Posting conf timeout msg after "
10209                + TIMEOUT_FULL_CONFIRMATION + " millis");
10210        Message msg = mBackupHandler.obtainMessage(MSG_FULL_CONFIRMATION_TIMEOUT,
10211                token, 0, params);
10212        mBackupHandler.sendMessageDelayed(msg, TIMEOUT_FULL_CONFIRMATION);
10213    }
10214
10215    void waitForCompletion(AdbParams params) {
10216        synchronized (params.latch) {
10217            while (params.latch.get() == false) {
10218                try {
10219                    params.latch.wait();
10220                } catch (InterruptedException e) { /* never interrupted */ }
10221            }
10222        }
10223    }
10224
10225    void signalAdbBackupRestoreCompletion(AdbParams params) {
10226        synchronized (params.latch) {
10227            params.latch.set(true);
10228            params.latch.notifyAll();
10229        }
10230    }
10231
10232    // Confirm that the previously-requested full backup/restore operation can proceed.  This
10233    // is used to require a user-facing disclosure about the operation.
10234    @Override
10235    public void acknowledgeAdbBackupOrRestore(int token, boolean allow,
10236            String curPassword, String encPpassword, IFullBackupRestoreObserver observer) {
10237        if (DEBUG) Slog.d(TAG, "acknowledgeAdbBackupOrRestore : token=" + token
10238                + " allow=" + allow);
10239
10240        // TODO: possibly require not just this signature-only permission, but even
10241        // require that the specific designated confirmation-UI app uid is the caller?
10242        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "acknowledgeAdbBackupOrRestore");
10243
10244        long oldId = Binder.clearCallingIdentity();
10245        try {
10246
10247            AdbParams params;
10248            synchronized (mAdbBackupRestoreConfirmations) {
10249                params = mAdbBackupRestoreConfirmations.get(token);
10250                if (params != null) {
10251                    mBackupHandler.removeMessages(MSG_FULL_CONFIRMATION_TIMEOUT, params);
10252                    mAdbBackupRestoreConfirmations.delete(token);
10253
10254                    if (allow) {
10255                        final int verb = params instanceof AdbBackupParams
10256                                ? MSG_RUN_ADB_BACKUP
10257                                : MSG_RUN_ADB_RESTORE;
10258
10259                        params.observer = observer;
10260                        params.curPassword = curPassword;
10261
10262                        params.encryptPassword = encPpassword;
10263
10264                        if (MORE_DEBUG) Slog.d(TAG, "Sending conf message with verb " + verb);
10265                        mWakelock.acquire();
10266                        Message msg = mBackupHandler.obtainMessage(verb, params);
10267                        mBackupHandler.sendMessage(msg);
10268                    } else {
10269                        Slog.w(TAG, "User rejected full backup/restore operation");
10270                        // indicate completion without having actually transferred any data
10271                        signalAdbBackupRestoreCompletion(params);
10272                    }
10273                } else {
10274                    Slog.w(TAG, "Attempted to ack full backup/restore with invalid token");
10275                }
10276            }
10277        } finally {
10278            Binder.restoreCallingIdentity(oldId);
10279        }
10280    }
10281
10282    private static boolean backupSettingMigrated(int userId) {
10283        File base = new File(Environment.getDataDirectory(), "backup");
10284        File enableFile = new File(base, BACKUP_ENABLE_FILE);
10285        return enableFile.exists();
10286    }
10287
10288    private static boolean readBackupEnableState(int userId) {
10289        File base = new File(Environment.getDataDirectory(), "backup");
10290        File enableFile = new File(base, BACKUP_ENABLE_FILE);
10291        if (enableFile.exists()) {
10292            try (FileInputStream fin = new FileInputStream(enableFile)) {
10293                int state = fin.read();
10294                return state != 0;
10295            } catch (IOException e) {
10296                // can't read the file; fall through to assume disabled
10297                Slog.e(TAG, "Cannot read enable state; assuming disabled");
10298            }
10299        } else {
10300            if (DEBUG) {
10301                Slog.i(TAG, "isBackupEnabled() => false due to absent settings file");
10302            }
10303        }
10304        return false;
10305    }
10306
10307    private static void writeBackupEnableState(boolean enable, int userId) {
10308        File base = new File(Environment.getDataDirectory(), "backup");
10309        File enableFile = new File(base, BACKUP_ENABLE_FILE);
10310        File stage = new File(base, BACKUP_ENABLE_FILE + "-stage");
10311        FileOutputStream fout = null;
10312        try {
10313            fout = new FileOutputStream(stage);
10314            fout.write(enable ? 1 : 0);
10315            fout.close();
10316            stage.renameTo(enableFile);
10317            // will be synced immediately by the try-with-resources call to close()
10318        } catch (IOException|RuntimeException e) {
10319            // Whoops; looks like we're doomed.  Roll everything out, disabled,
10320            // including the legacy state.
10321            Slog.e(TAG, "Unable to record backup enable state; reverting to disabled: "
10322                    + e.getMessage());
10323
10324            final ContentResolver r = sInstance.mContext.getContentResolver();
10325            Settings.Secure.putStringForUser(r,
10326                    Settings.Secure.BACKUP_ENABLED, null, userId);
10327            enableFile.delete();
10328            stage.delete();
10329        } finally {
10330            IoUtils.closeQuietly(fout);
10331        }
10332    }
10333
10334    // Enable/disable backups
10335    @Override
10336    public void setBackupEnabled(boolean enable) {
10337        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10338                "setBackupEnabled");
10339
10340        Slog.i(TAG, "Backup enabled => " + enable);
10341
10342        long oldId = Binder.clearCallingIdentity();
10343        try {
10344            boolean wasEnabled = mEnabled;
10345            synchronized (this) {
10346                writeBackupEnableState(enable, UserHandle.USER_SYSTEM);
10347                mEnabled = enable;
10348            }
10349
10350            synchronized (mQueueLock) {
10351                if (enable && !wasEnabled && mProvisioned) {
10352                    // if we've just been enabled, start scheduling backup passes
10353                    KeyValueBackupJob.schedule(mContext);
10354                    scheduleNextFullBackupJob(0);
10355                } else if (!enable) {
10356                    // No longer enabled, so stop running backups
10357                    if (MORE_DEBUG) Slog.i(TAG, "Opting out of backup");
10358
10359                    KeyValueBackupJob.cancel(mContext);
10360
10361                    // This also constitutes an opt-out, so we wipe any data for
10362                    // this device from the backend.  We start that process with
10363                    // an alarm in order to guarantee wakelock states.
10364                    if (wasEnabled && mProvisioned) {
10365                        // NOTE: we currently flush every registered transport, not just
10366                        // the currently-active one.
10367                        String[] allTransports = mTransportManager.getBoundTransportNames();
10368                        // build the set of transports for which we are posting an init
10369                        for (String transport : allTransports) {
10370                            recordInitPendingLocked(true, transport);
10371                        }
10372                        mAlarmManager.set(AlarmManager.RTC_WAKEUP, System.currentTimeMillis(),
10373                                mRunInitIntent);
10374                    }
10375                }
10376            }
10377        } finally {
10378            Binder.restoreCallingIdentity(oldId);
10379        }
10380    }
10381
10382    // Enable/disable automatic restore of app data at install time
10383    @Override
10384    public void setAutoRestore(boolean doAutoRestore) {
10385        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10386                "setAutoRestore");
10387
10388        Slog.i(TAG, "Auto restore => " + doAutoRestore);
10389
10390        final long oldId = Binder.clearCallingIdentity();
10391        try {
10392            synchronized (this) {
10393                Settings.Secure.putInt(mContext.getContentResolver(),
10394                        Settings.Secure.BACKUP_AUTO_RESTORE, doAutoRestore ? 1 : 0);
10395                mAutoRestore = doAutoRestore;
10396            }
10397        } finally {
10398            Binder.restoreCallingIdentity(oldId);
10399        }
10400    }
10401
10402    // Mark the backup service as having been provisioned
10403    @Override
10404    public void setBackupProvisioned(boolean available) {
10405        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10406                "setBackupProvisioned");
10407        /*
10408         * This is now a no-op; provisioning is simply the device's own setup state.
10409         */
10410    }
10411
10412    // Report whether the backup mechanism is currently enabled
10413    @Override
10414    public boolean isBackupEnabled() {
10415        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "isBackupEnabled");
10416        return mEnabled;    // no need to synchronize just to read it
10417    }
10418
10419    // Report the name of the currently active transport
10420    @Override
10421    public String getCurrentTransport() {
10422        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10423                "getCurrentTransport");
10424        String currentTransport = mTransportManager.getCurrentTransportName();
10425        if (MORE_DEBUG) Slog.v(TAG, "... getCurrentTransport() returning " + currentTransport);
10426        return currentTransport;
10427    }
10428
10429    // Report all known, available backup transports
10430    @Override
10431    public String[] listAllTransports() {
10432        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "listAllTransports");
10433
10434        return mTransportManager.getBoundTransportNames();
10435    }
10436
10437    @Override
10438    public ComponentName[] listAllTransportComponents() {
10439        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10440                "listAllTransportComponents");
10441        return mTransportManager.getAllTransportCompenents();
10442    }
10443
10444    @Override
10445    public String[] getTransportWhitelist() {
10446        // No permission check, intentionally.
10447        Set<ComponentName> whitelistedComponents = mTransportManager.getTransportWhitelist();
10448        String[] whitelistedTransports = new String[whitelistedComponents.size()];
10449        int i = 0;
10450        for (ComponentName component : whitelistedComponents) {
10451            whitelistedTransports[i] = component.flattenToShortString();
10452            i++;
10453        }
10454        return whitelistedTransports;
10455    }
10456
10457    // Select which transport to use for the next backup operation.
10458    @Override
10459    public String selectBackupTransport(String transport) {
10460        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10461                "selectBackupTransport");
10462
10463        final long oldId = Binder.clearCallingIdentity();
10464        try {
10465            String prevTransport = mTransportManager.selectTransport(transport);
10466            updateStateForTransport(transport);
10467            Slog.v(TAG, "selectBackupTransport() set " + mTransportManager.getCurrentTransportName()
10468                    + " returning " + prevTransport);
10469            return prevTransport;
10470        } finally {
10471            Binder.restoreCallingIdentity(oldId);
10472        }
10473    }
10474
10475    @Override
10476    public void selectBackupTransportAsync(final ComponentName transport,
10477            final ISelectBackupTransportCallback listener) {
10478        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10479                "selectBackupTransportAsync");
10480
10481        final long oldId = Binder.clearCallingIdentity();
10482
10483        Slog.v(TAG, "selectBackupTransportAsync() called with transport " +
10484                transport.flattenToShortString());
10485
10486        mTransportManager.ensureTransportReady(transport, new SelectBackupTransportCallback() {
10487            @Override
10488            public void onSuccess(String transportName) {
10489                mTransportManager.selectTransport(transportName);
10490                updateStateForTransport(mTransportManager.getCurrentTransportName());
10491                Slog.v(TAG, "Transport successfully selected: " + transport.flattenToShortString());
10492                try {
10493                    listener.onSuccess(transportName);
10494                } catch (RemoteException e) {
10495                    // Nothing to do here.
10496                }
10497            }
10498
10499            @Override
10500            public void onFailure(int reason) {
10501                Slog.v(TAG, "Failed to select transport: " + transport.flattenToShortString());
10502                try {
10503                    listener.onFailure(reason);
10504                } catch (RemoteException e) {
10505                    // Nothing to do here.
10506                }
10507            }
10508        });
10509
10510        Binder.restoreCallingIdentity(oldId);
10511    }
10512
10513    private void updateStateForTransport(String newTransportName) {
10514        // Publish the name change
10515        Settings.Secure.putString(mContext.getContentResolver(),
10516                Settings.Secure.BACKUP_TRANSPORT, newTransportName);
10517
10518        // And update our current-dataset bookkeeping
10519        IBackupTransport transport = mTransportManager.getTransportBinder(newTransportName);
10520        if (transport != null) {
10521            try {
10522                mCurrentToken = transport.getCurrentRestoreSet();
10523            } catch (Exception e) {
10524                // Oops.  We can't know the current dataset token, so reset and figure it out
10525                // when we do the next k/v backup operation on this transport.
10526                mCurrentToken = 0;
10527            }
10528        } else {
10529            // The named transport isn't bound at this particular moment, so we can't
10530            // know yet what its current dataset token is.  Reset as above.
10531            mCurrentToken = 0;
10532        }
10533    }
10534
10535    // Supply the configuration Intent for the given transport.  If the name is not one
10536    // of the available transports, or if the transport does not supply any configuration
10537    // UI, the method returns null.
10538    @Override
10539    public Intent getConfigurationIntent(String transportName) {
10540        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10541                "getConfigurationIntent");
10542
10543        final IBackupTransport transport = mTransportManager.getTransportBinder(transportName);
10544        if (transport != null) {
10545            try {
10546                final Intent intent = transport.configurationIntent();
10547                if (MORE_DEBUG) Slog.d(TAG, "getConfigurationIntent() returning config intent "
10548                        + intent);
10549                return intent;
10550            } catch (Exception e) {
10551                /* fall through to return null */
10552                Slog.e(TAG, "Unable to get configuration intent from transport: " + e.getMessage());
10553            }
10554        }
10555
10556        return null;
10557    }
10558
10559    // Supply the configuration summary string for the given transport.  If the name is
10560    // not one of the available transports, or if the transport does not supply any
10561    // summary / destination string, the method can return null.
10562    //
10563    // This string is used VERBATIM as the summary text of the relevant Settings item!
10564    @Override
10565    public String getDestinationString(String transportName) {
10566        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10567                "getDestinationString");
10568
10569        final IBackupTransport transport = mTransportManager.getTransportBinder(transportName);
10570        if (transport != null) {
10571            try {
10572                final String text = transport.currentDestinationString();
10573                if (MORE_DEBUG) Slog.d(TAG, "getDestinationString() returning " + text);
10574                return text;
10575            } catch (Exception e) {
10576                /* fall through to return null */
10577                Slog.e(TAG, "Unable to get string from transport: " + e.getMessage());
10578            }
10579        }
10580
10581        return null;
10582    }
10583
10584    // Supply the manage-data intent for the given transport.
10585    @Override
10586    public Intent getDataManagementIntent(String transportName) {
10587        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10588                "getDataManagementIntent");
10589
10590        final IBackupTransport transport = mTransportManager.getTransportBinder(transportName);
10591        if (transport != null) {
10592            try {
10593                final Intent intent = transport.dataManagementIntent();
10594                if (MORE_DEBUG) Slog.d(TAG, "getDataManagementIntent() returning intent "
10595                        + intent);
10596                return intent;
10597            } catch (Exception e) {
10598                /* fall through to return null */
10599                Slog.e(TAG, "Unable to get management intent from transport: " + e.getMessage());
10600            }
10601        }
10602
10603        return null;
10604    }
10605
10606    // Supply the menu label for affordances that fire the manage-data intent
10607    // for the given transport.
10608    @Override
10609    public String getDataManagementLabel(String transportName) {
10610        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10611                "getDataManagementLabel");
10612
10613        final IBackupTransport transport = mTransportManager.getTransportBinder(transportName);
10614        if (transport != null) {
10615            try {
10616                final String text = transport.dataManagementLabel();
10617                if (MORE_DEBUG) Slog.d(TAG, "getDataManagementLabel() returning " + text);
10618                return text;
10619            } catch (Exception e) {
10620                /* fall through to return null */
10621                Slog.e(TAG, "Unable to get management label from transport: " + e.getMessage());
10622            }
10623        }
10624
10625        return null;
10626    }
10627
10628    // Callback: a requested backup agent has been instantiated.  This should only
10629    // be called from the Activity Manager.
10630    @Override
10631    public void agentConnected(String packageName, IBinder agentBinder) {
10632        synchronized(mAgentConnectLock) {
10633            if (Binder.getCallingUid() == Process.SYSTEM_UID) {
10634                Slog.d(TAG, "agentConnected pkg=" + packageName + " agent=" + agentBinder);
10635                IBackupAgent agent = IBackupAgent.Stub.asInterface(agentBinder);
10636                mConnectedAgent = agent;
10637                mConnecting = false;
10638            } else {
10639                Slog.w(TAG, "Non-system process uid=" + Binder.getCallingUid()
10640                        + " claiming agent connected");
10641            }
10642            mAgentConnectLock.notifyAll();
10643        }
10644    }
10645
10646    // Callback: a backup agent has failed to come up, or has unexpectedly quit.
10647    // If the agent failed to come up in the first place, the agentBinder argument
10648    // will be null.  This should only be called from the Activity Manager.
10649    @Override
10650    public void agentDisconnected(String packageName) {
10651        // TODO: handle backup being interrupted
10652        synchronized(mAgentConnectLock) {
10653            if (Binder.getCallingUid() == Process.SYSTEM_UID) {
10654                mConnectedAgent = null;
10655                mConnecting = false;
10656            } else {
10657                Slog.w(TAG, "Non-system process uid=" + Binder.getCallingUid()
10658                        + " claiming agent disconnected");
10659            }
10660            mAgentConnectLock.notifyAll();
10661        }
10662    }
10663
10664    // An application being installed will need a restore pass, then the Package Manager
10665    // will need to be told when the restore is finished.
10666    @Override
10667    public void restoreAtInstall(String packageName, int token) {
10668        if (Binder.getCallingUid() != Process.SYSTEM_UID) {
10669            Slog.w(TAG, "Non-system process uid=" + Binder.getCallingUid()
10670                    + " attemping install-time restore");
10671            return;
10672        }
10673
10674        boolean skip = false;
10675
10676        long restoreSet = getAvailableRestoreToken(packageName);
10677        if (DEBUG) Slog.v(TAG, "restoreAtInstall pkg=" + packageName
10678                + " token=" + Integer.toHexString(token)
10679                + " restoreSet=" + Long.toHexString(restoreSet));
10680        if (restoreSet == 0) {
10681            if (MORE_DEBUG) Slog.i(TAG, "No restore set");
10682            skip = true;
10683        }
10684
10685        // Do we have a transport to fetch data for us?
10686        IBackupTransport transport = mTransportManager.getCurrentTransportBinder();
10687        if (transport == null) {
10688            if (DEBUG) Slog.w(TAG, "No transport");
10689            skip = true;
10690        }
10691
10692        if (!mAutoRestore) {
10693            if (DEBUG) {
10694                Slog.w(TAG, "Non-restorable state: auto=" + mAutoRestore);
10695            }
10696            skip = true;
10697        }
10698
10699        if (!skip) {
10700            try {
10701                // okay, we're going to attempt a restore of this package from this restore set.
10702                // The eventual message back into the Package Manager to run the post-install
10703                // steps for 'token' will be issued from the restore handling code.
10704
10705                // This can throw and so *must* happen before the wakelock is acquired
10706                String dirName = transport.transportDirName();
10707
10708                mWakelock.acquire();
10709                if (MORE_DEBUG) {
10710                    Slog.d(TAG, "Restore at install of " + packageName);
10711                }
10712                Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
10713                msg.obj = new RestoreParams(transport, dirName, null, null,
10714                        restoreSet, packageName, token);
10715                mBackupHandler.sendMessage(msg);
10716            } catch (Exception e) {
10717                // Calling into the transport broke; back off and proceed with the installation.
10718                Slog.e(TAG, "Unable to contact transport: " + e.getMessage());
10719                skip = true;
10720            }
10721        }
10722
10723        if (skip) {
10724            // Auto-restore disabled or no way to attempt a restore; just tell the Package
10725            // Manager to proceed with the post-install handling for this package.
10726            if (DEBUG) Slog.v(TAG, "Finishing install immediately");
10727            try {
10728                mPackageManagerBinder.finishPackageInstall(token, false);
10729            } catch (RemoteException e) { /* can't happen */ }
10730        }
10731    }
10732
10733    // Hand off a restore session
10734    @Override
10735    public IRestoreSession beginRestoreSession(String packageName, String transport) {
10736        if (DEBUG) Slog.v(TAG, "beginRestoreSession: pkg=" + packageName
10737                + " transport=" + transport);
10738
10739        boolean needPermission = true;
10740        if (transport == null) {
10741            transport = mTransportManager.getCurrentTransportName();
10742
10743            if (packageName != null) {
10744                PackageInfo app = null;
10745                try {
10746                    app = mPackageManager.getPackageInfo(packageName, 0);
10747                } catch (NameNotFoundException nnf) {
10748                    Slog.w(TAG, "Asked to restore nonexistent pkg " + packageName);
10749                    throw new IllegalArgumentException("Package " + packageName + " not found");
10750                }
10751
10752                if (app.applicationInfo.uid == Binder.getCallingUid()) {
10753                    // So: using the current active transport, and the caller has asked
10754                    // that its own package will be restored.  In this narrow use case
10755                    // we do not require the caller to hold the permission.
10756                    needPermission = false;
10757                }
10758            }
10759        }
10760
10761        if (needPermission) {
10762            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10763                    "beginRestoreSession");
10764        } else {
10765            if (DEBUG) Slog.d(TAG, "restoring self on current transport; no permission needed");
10766        }
10767
10768        synchronized(this) {
10769            if (mActiveRestoreSession != null) {
10770                Slog.i(TAG, "Restore session requested but one already active");
10771                return null;
10772            }
10773            if (mBackupRunning) {
10774                Slog.i(TAG, "Restore session requested but currently running backups");
10775                return null;
10776            }
10777            mActiveRestoreSession = new ActiveRestoreSession(packageName, transport);
10778            mBackupHandler.sendEmptyMessageDelayed(MSG_RESTORE_SESSION_TIMEOUT,
10779                    TIMEOUT_RESTORE_INTERVAL);
10780        }
10781        return mActiveRestoreSession;
10782    }
10783
10784    void clearRestoreSession(ActiveRestoreSession currentSession) {
10785        synchronized(this) {
10786            if (currentSession != mActiveRestoreSession) {
10787                Slog.e(TAG, "ending non-current restore session");
10788            } else {
10789                if (DEBUG) Slog.v(TAG, "Clearing restore session and halting timeout");
10790                mActiveRestoreSession = null;
10791                mBackupHandler.removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
10792            }
10793        }
10794    }
10795
10796    // Note that a currently-active backup agent has notified us that it has
10797    // completed the given outstanding asynchronous backup/restore operation.
10798    @Override
10799    public void opComplete(int token, long result) {
10800        if (MORE_DEBUG) {
10801            Slog.v(TAG, "opComplete: " + Integer.toHexString(token) + " result=" + result);
10802        }
10803        Operation op = null;
10804        synchronized (mCurrentOpLock) {
10805            op = mCurrentOperations.get(token);
10806            if (op != null) {
10807                if (op.state == OP_TIMEOUT) {
10808                    // The operation already timed out, and this is a late response.  Tidy up
10809                    // and ignore it; we've already dealt with the timeout.
10810                    op = null;
10811                    mCurrentOperations.delete(token);
10812                } else if (op.state == OP_ACKNOWLEDGED) {
10813                    if (DEBUG) {
10814                        Slog.w(TAG, "Received duplicate ack for token=" +
10815                                Integer.toHexString(token));
10816                    }
10817                    op = null;
10818                    mCurrentOperations.remove(token);
10819                } else if (op.state == OP_PENDING) {
10820                    // Can't delete op from mCurrentOperations. waitUntilOperationComplete can be
10821                    // called after we we receive this call.
10822                    op.state = OP_ACKNOWLEDGED;
10823                }
10824            }
10825            mCurrentOpLock.notifyAll();
10826        }
10827
10828        // The completion callback, if any, is invoked on the handler
10829        if (op != null && op.callback != null) {
10830            Pair<BackupRestoreTask, Long> callbackAndResult = Pair.create(op.callback, result);
10831            Message msg = mBackupHandler.obtainMessage(MSG_OP_COMPLETE, callbackAndResult);
10832            mBackupHandler.sendMessage(msg);
10833        }
10834    }
10835
10836    @Override
10837    public boolean isAppEligibleForBackup(String packageName) {
10838        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10839                "isAppEligibleForBackup");
10840        try {
10841            PackageInfo packageInfo = mPackageManager.getPackageInfo(packageName,
10842                    PackageManager.GET_SIGNATURES);
10843            if (!appIsEligibleForBackup(packageInfo.applicationInfo, mPackageManager) ||
10844                    appIsStopped(packageInfo.applicationInfo)) {
10845                return false;
10846            }
10847            IBackupTransport transport = mTransportManager.getCurrentTransportBinder();
10848            if (transport != null) {
10849                try {
10850                    return transport.isAppEligibleForBackup(packageInfo,
10851                        appGetsFullBackup(packageInfo));
10852                } catch (Exception e) {
10853                    Slog.e(TAG, "Unable to ask about eligibility: " + e.getMessage());
10854                }
10855            }
10856            // If transport is not present we couldn't tell that the package is not eligible.
10857            return true;
10858        } catch (NameNotFoundException e) {
10859            return false;
10860        }
10861    }
10862
10863    // ----- Restore session -----
10864
10865    class ActiveRestoreSession extends IRestoreSession.Stub {
10866        private static final String TAG = "RestoreSession";
10867
10868        private String mPackageName;
10869        private IBackupTransport mRestoreTransport = null;
10870        RestoreSet[] mRestoreSets = null;
10871        boolean mEnded = false;
10872        boolean mTimedOut = false;
10873
10874        ActiveRestoreSession(String packageName, String transport) {
10875            mPackageName = packageName;
10876            mRestoreTransport = mTransportManager.getTransportBinder(transport);
10877        }
10878
10879        public void markTimedOut() {
10880            mTimedOut = true;
10881        }
10882
10883        // --- Binder interface ---
10884        public synchronized int getAvailableRestoreSets(IRestoreObserver observer,
10885                IBackupManagerMonitor monitor) {
10886            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10887                    "getAvailableRestoreSets");
10888            if (observer == null) {
10889                throw new IllegalArgumentException("Observer must not be null");
10890            }
10891
10892            if (mEnded) {
10893                throw new IllegalStateException("Restore session already ended");
10894            }
10895
10896            if (mTimedOut) {
10897                Slog.i(TAG, "Session already timed out");
10898                return -1;
10899            }
10900
10901            long oldId = Binder.clearCallingIdentity();
10902            try {
10903                if (mRestoreTransport == null) {
10904                    Slog.w(TAG, "Null transport getting restore sets");
10905                    return -1;
10906                }
10907
10908                // We know we're doing legit work now, so halt the timeout
10909                // until we're done.  It gets started again when the result
10910                // comes in.
10911                mBackupHandler.removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
10912
10913                // spin off the transport request to our service thread
10914                mWakelock.acquire();
10915                Message msg = mBackupHandler.obtainMessage(MSG_RUN_GET_RESTORE_SETS,
10916                        new RestoreGetSetsParams(mRestoreTransport, this, observer,
10917                                monitor));
10918                mBackupHandler.sendMessage(msg);
10919                return 0;
10920            } catch (Exception e) {
10921                Slog.e(TAG, "Error in getAvailableRestoreSets", e);
10922                return -1;
10923            } finally {
10924                Binder.restoreCallingIdentity(oldId);
10925            }
10926        }
10927
10928        public synchronized int restoreAll(long token, IRestoreObserver observer,
10929                IBackupManagerMonitor monitor) {
10930            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10931                    "performRestore");
10932
10933            if (DEBUG) Slog.d(TAG, "restoreAll token=" + Long.toHexString(token)
10934                    + " observer=" + observer);
10935
10936            if (mEnded) {
10937                throw new IllegalStateException("Restore session already ended");
10938            }
10939
10940            if (mTimedOut) {
10941                Slog.i(TAG, "Session already timed out");
10942                return -1;
10943            }
10944
10945            if (mRestoreTransport == null || mRestoreSets == null) {
10946                Slog.e(TAG, "Ignoring restoreAll() with no restore set");
10947                return -1;
10948            }
10949
10950            if (mPackageName != null) {
10951                Slog.e(TAG, "Ignoring restoreAll() on single-package session");
10952                return -1;
10953            }
10954
10955            String dirName;
10956            try {
10957                dirName = mRestoreTransport.transportDirName();
10958            } catch (Exception e) {
10959                // Transport went AWOL; fail.
10960                Slog.e(TAG, "Unable to get transport dir for restore: " + e.getMessage());
10961                return -1;
10962            }
10963
10964            synchronized (mQueueLock) {
10965                for (int i = 0; i < mRestoreSets.length; i++) {
10966                    if (token == mRestoreSets[i].token) {
10967                        // Real work, so stop the session timeout until we finalize the restore
10968                        mBackupHandler.removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
10969
10970                        long oldId = Binder.clearCallingIdentity();
10971                        mWakelock.acquire();
10972                        if (MORE_DEBUG) {
10973                            Slog.d(TAG, "restoreAll() kicking off");
10974                        }
10975                        Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
10976                        msg.obj = new RestoreParams(mRestoreTransport, dirName,
10977                                observer, monitor, token);
10978                        mBackupHandler.sendMessage(msg);
10979                        Binder.restoreCallingIdentity(oldId);
10980                        return 0;
10981                    }
10982                }
10983            }
10984
10985            Slog.w(TAG, "Restore token " + Long.toHexString(token) + " not found");
10986            return -1;
10987        }
10988
10989        // Restores of more than a single package are treated as 'system' restores
10990        public synchronized int restoreSome(long token, IRestoreObserver observer,
10991                IBackupManagerMonitor monitor, String[] packages) {
10992            mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
10993                    "performRestore");
10994
10995            if (DEBUG) {
10996                StringBuilder b = new StringBuilder(128);
10997                b.append("restoreSome token=");
10998                b.append(Long.toHexString(token));
10999                b.append(" observer=");
11000                b.append(observer.toString());
11001                b.append(" monitor=");
11002                if (monitor == null) {
11003                    b.append("null");
11004                } else {
11005                    b.append(monitor.toString());
11006                }
11007                b.append(" packages=");
11008                if (packages == null) {
11009                    b.append("null");
11010                } else {
11011                    b.append('{');
11012                    boolean first = true;
11013                    for (String s : packages) {
11014                        if (!first) {
11015                            b.append(", ");
11016                        } else first = false;
11017                        b.append(s);
11018                    }
11019                    b.append('}');
11020                }
11021                Slog.d(TAG, b.toString());
11022            }
11023
11024            if (mEnded) {
11025                throw new IllegalStateException("Restore session already ended");
11026            }
11027
11028            if (mTimedOut) {
11029                Slog.i(TAG, "Session already timed out");
11030                return -1;
11031            }
11032
11033            if (mRestoreTransport == null || mRestoreSets == null) {
11034                Slog.e(TAG, "Ignoring restoreAll() with no restore set");
11035                return -1;
11036            }
11037
11038            if (mPackageName != null) {
11039                Slog.e(TAG, "Ignoring restoreAll() on single-package session");
11040                return -1;
11041            }
11042
11043            String dirName;
11044            try {
11045                dirName = mRestoreTransport.transportDirName();
11046            } catch (Exception e) {
11047                // Transport went AWOL; fail.
11048                Slog.e(TAG, "Unable to get transport name for restoreSome: " + e.getMessage());
11049                return -1;
11050            }
11051
11052            synchronized (mQueueLock) {
11053                for (int i = 0; i < mRestoreSets.length; i++) {
11054                    if (token == mRestoreSets[i].token) {
11055                        // Stop the session timeout until we finalize the restore
11056                        mBackupHandler.removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
11057
11058                        long oldId = Binder.clearCallingIdentity();
11059                        mWakelock.acquire();
11060                        if (MORE_DEBUG) {
11061                            Slog.d(TAG, "restoreSome() of " + packages.length + " packages");
11062                        }
11063                        Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
11064                        msg.obj = new RestoreParams(mRestoreTransport, dirName, observer, monitor,
11065                                token, packages, packages.length > 1);
11066                        mBackupHandler.sendMessage(msg);
11067                        Binder.restoreCallingIdentity(oldId);
11068                        return 0;
11069                    }
11070                }
11071            }
11072
11073            Slog.w(TAG, "Restore token " + Long.toHexString(token) + " not found");
11074            return -1;
11075        }
11076
11077        public synchronized int restorePackage(String packageName, IRestoreObserver observer,
11078                IBackupManagerMonitor monitor) {
11079            if (DEBUG) Slog.v(TAG, "restorePackage pkg=" + packageName + " obs=" + observer
11080                    + "monitor=" + monitor);
11081
11082            if (mEnded) {
11083                throw new IllegalStateException("Restore session already ended");
11084            }
11085
11086            if (mTimedOut) {
11087                Slog.i(TAG, "Session already timed out");
11088                return -1;
11089            }
11090
11091            if (mPackageName != null) {
11092                if (! mPackageName.equals(packageName)) {
11093                    Slog.e(TAG, "Ignoring attempt to restore pkg=" + packageName
11094                            + " on session for package " + mPackageName);
11095                    return -1;
11096                }
11097            }
11098
11099            PackageInfo app = null;
11100            try {
11101                app = mPackageManager.getPackageInfo(packageName, 0);
11102            } catch (NameNotFoundException nnf) {
11103                Slog.w(TAG, "Asked to restore nonexistent pkg " + packageName);
11104                return -1;
11105            }
11106
11107            // If the caller is not privileged and is not coming from the target
11108            // app's uid, throw a permission exception back to the caller.
11109            int perm = mContext.checkPermission(android.Manifest.permission.BACKUP,
11110                    Binder.getCallingPid(), Binder.getCallingUid());
11111            if ((perm == PackageManager.PERMISSION_DENIED) &&
11112                    (app.applicationInfo.uid != Binder.getCallingUid())) {
11113                Slog.w(TAG, "restorePackage: bad packageName=" + packageName
11114                        + " or calling uid=" + Binder.getCallingUid());
11115                throw new SecurityException("No permission to restore other packages");
11116            }
11117
11118            // So far so good; we're allowed to try to restore this package.
11119            long oldId = Binder.clearCallingIdentity();
11120            try {
11121                // Check whether there is data for it in the current dataset, falling back
11122                // to the ancestral dataset if not.
11123                long token = getAvailableRestoreToken(packageName);
11124                if (DEBUG) Slog.v(TAG, "restorePackage pkg=" + packageName
11125                        + " token=" + Long.toHexString(token));
11126
11127                // If we didn't come up with a place to look -- no ancestral dataset and
11128                // the app has never been backed up from this device -- there's nothing
11129                // to do but return failure.
11130                if (token == 0) {
11131                    if (DEBUG) Slog.w(TAG, "No data available for this package; not restoring");
11132                    return -1;
11133                }
11134
11135                String dirName;
11136                try {
11137                    dirName = mRestoreTransport.transportDirName();
11138                } catch (Exception e) {
11139                    // Transport went AWOL; fail.
11140                    Slog.e(TAG, "Unable to get transport dir for restorePackage: " + e.getMessage());
11141                    return -1;
11142                }
11143
11144                // Stop the session timeout until we finalize the restore
11145                mBackupHandler.removeMessages(MSG_RESTORE_SESSION_TIMEOUT);
11146
11147                // Ready to go:  enqueue the restore request and claim success
11148                mWakelock.acquire();
11149                if (MORE_DEBUG) {
11150                    Slog.d(TAG, "restorePackage() : " + packageName);
11151                }
11152                Message msg = mBackupHandler.obtainMessage(MSG_RUN_RESTORE);
11153                msg.obj = new RestoreParams(mRestoreTransport, dirName, observer, monitor,
11154                        token, app);
11155                mBackupHandler.sendMessage(msg);
11156            } finally {
11157                Binder.restoreCallingIdentity(oldId);
11158            }
11159            return 0;
11160        }
11161
11162        // Posted to the handler to tear down a restore session in a cleanly synchronized way
11163        class EndRestoreRunnable implements Runnable {
11164            BackupManagerService mBackupManager;
11165            ActiveRestoreSession mSession;
11166
11167            EndRestoreRunnable(BackupManagerService manager, ActiveRestoreSession session) {
11168                mBackupManager = manager;
11169                mSession = session;
11170            }
11171
11172            public void run() {
11173                // clean up the session's bookkeeping
11174                synchronized (mSession) {
11175                    mSession.mRestoreTransport = null;
11176                    mSession.mEnded = true;
11177                }
11178
11179                // clean up the BackupManagerImpl side of the bookkeeping
11180                // and cancel any pending timeout message
11181                mBackupManager.clearRestoreSession(mSession);
11182            }
11183        }
11184
11185        public synchronized void endRestoreSession() {
11186            if (DEBUG) Slog.d(TAG, "endRestoreSession");
11187
11188            if (mTimedOut) {
11189                Slog.i(TAG, "Session already timed out");
11190                return;
11191            }
11192
11193            if (mEnded) {
11194                throw new IllegalStateException("Restore session already ended");
11195            }
11196
11197            mBackupHandler.post(new EndRestoreRunnable(BackupManagerService.this, this));
11198        }
11199    }
11200
11201    @Override
11202    public void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
11203        if (!DumpUtils.checkDumpAndUsageStatsPermission(mContext, TAG, pw)) return;
11204
11205        long identityToken = Binder.clearCallingIdentity();
11206        try {
11207            if (args != null) {
11208                for (String arg : args) {
11209                    if ("-h".equals(arg)) {
11210                        pw.println("'dumpsys backup' optional arguments:");
11211                        pw.println("  -h       : this help text");
11212                        pw.println("  a[gents] : dump information about defined backup agents");
11213                        return;
11214                    } else if ("agents".startsWith(arg)) {
11215                        dumpAgents(pw);
11216                        return;
11217                    }
11218                }
11219            }
11220            dumpInternal(pw);
11221        } finally {
11222            Binder.restoreCallingIdentity(identityToken);
11223        }
11224    }
11225
11226    private void dumpAgents(PrintWriter pw) {
11227        List<PackageInfo> agentPackages = allAgentPackages();
11228        pw.println("Defined backup agents:");
11229        for (PackageInfo pkg : agentPackages) {
11230            pw.print("  ");
11231            pw.print(pkg.packageName); pw.println(':');
11232            pw.print("      "); pw.println(pkg.applicationInfo.backupAgentName);
11233        }
11234    }
11235
11236    private void dumpInternal(PrintWriter pw) {
11237        synchronized (mQueueLock) {
11238            pw.println("Backup Manager is " + (mEnabled ? "enabled" : "disabled")
11239                    + " / " + (!mProvisioned ? "not " : "") + "provisioned / "
11240                    + (this.mPendingInits.size() == 0 ? "not " : "") + "pending init");
11241            pw.println("Auto-restore is " + (mAutoRestore ? "enabled" : "disabled"));
11242            if (mBackupRunning) pw.println("Backup currently running");
11243            pw.println("Last backup pass started: " + mLastBackupPass
11244                    + " (now = " + System.currentTimeMillis() + ')');
11245            pw.println("  next scheduled: " + KeyValueBackupJob.nextScheduled());
11246
11247            pw.println("Transport whitelist:");
11248            for (ComponentName transport : mTransportManager.getTransportWhitelist()) {
11249                pw.print("    ");
11250                pw.println(transport.flattenToShortString());
11251            }
11252
11253            pw.println("Available transports:");
11254            final String[] transports = listAllTransports();
11255            if (transports != null) {
11256                for (String t : listAllTransports()) {
11257                    pw.println((t.equals(mTransportManager.getCurrentTransportName()) ? "  * " : "    ") + t);
11258                    try {
11259                        IBackupTransport transport = mTransportManager.getTransportBinder(t);
11260                        File dir = new File(mBaseStateDir, transport.transportDirName());
11261                        pw.println("       destination: " + transport.currentDestinationString());
11262                        pw.println("       intent: " + transport.configurationIntent());
11263                        for (File f : dir.listFiles()) {
11264                            pw.println("       " + f.getName() + " - " + f.length() + " state bytes");
11265                        }
11266                    } catch (Exception e) {
11267                        Slog.e(TAG, "Error in transport", e);
11268                        pw.println("        Error: " + e);
11269                    }
11270                }
11271            }
11272
11273            pw.println("Pending init: " + mPendingInits.size());
11274            for (String s : mPendingInits) {
11275                pw.println("    " + s);
11276            }
11277
11278            if (DEBUG_BACKUP_TRACE) {
11279                synchronized (mBackupTrace) {
11280                    if (!mBackupTrace.isEmpty()) {
11281                        pw.println("Most recent backup trace:");
11282                        for (String s : mBackupTrace) {
11283                            pw.println("   " + s);
11284                        }
11285                    }
11286                }
11287            }
11288
11289            pw.print("Ancestral: "); pw.println(Long.toHexString(mAncestralToken));
11290            pw.print("Current:   "); pw.println(Long.toHexString(mCurrentToken));
11291
11292            int N = mBackupParticipants.size();
11293            pw.println("Participants:");
11294            for (int i=0; i<N; i++) {
11295                int uid = mBackupParticipants.keyAt(i);
11296                pw.print("  uid: ");
11297                pw.println(uid);
11298                HashSet<String> participants = mBackupParticipants.valueAt(i);
11299                for (String app: participants) {
11300                    pw.println("    " + app);
11301                }
11302            }
11303
11304            pw.println("Ancestral packages: "
11305                    + (mAncestralPackages == null ? "none" : mAncestralPackages.size()));
11306            if (mAncestralPackages != null) {
11307                for (String pkg : mAncestralPackages) {
11308                    pw.println("    " + pkg);
11309                }
11310            }
11311
11312            pw.println("Ever backed up: " + mEverStoredApps.size());
11313            for (String pkg : mEverStoredApps) {
11314                pw.println("    " + pkg);
11315            }
11316
11317            pw.println("Pending key/value backup: " + mPendingBackups.size());
11318            for (BackupRequest req : mPendingBackups.values()) {
11319                pw.println("    " + req);
11320            }
11321
11322            pw.println("Full backup queue:" + mFullBackupQueue.size());
11323            for (FullBackupEntry entry : mFullBackupQueue) {
11324                pw.print("    "); pw.print(entry.lastBackup);
11325                pw.print(" : "); pw.println(entry.packageName);
11326            }
11327        }
11328    }
11329
11330    private static void sendBackupOnUpdate(IBackupObserver observer, String packageName,
11331            BackupProgress progress) {
11332        if (observer != null) {
11333            try {
11334                observer.onUpdate(packageName, progress);
11335            } catch (RemoteException e) {
11336                if (DEBUG) {
11337                    Slog.w(TAG, "Backup observer went away: onUpdate");
11338                }
11339            }
11340        }
11341    }
11342
11343    private static void sendBackupOnPackageResult(IBackupObserver observer, String packageName,
11344            int status) {
11345        if (observer != null) {
11346            try {
11347                observer.onResult(packageName, status);
11348            } catch (RemoteException e) {
11349                if (DEBUG) {
11350                    Slog.w(TAG, "Backup observer went away: onResult");
11351                }
11352            }
11353        }
11354    }
11355
11356    private static void sendBackupFinished(IBackupObserver observer, int status) {
11357        if (observer != null) {
11358            try {
11359                observer.backupFinished(status);
11360            } catch (RemoteException e) {
11361                if (DEBUG) {
11362                    Slog.w(TAG, "Backup observer went away: backupFinished");
11363                }
11364            }
11365        }
11366    }
11367
11368    private Bundle putMonitoringExtra(Bundle extras, String key, String value) {
11369        if (extras == null) {
11370            extras = new Bundle();
11371        }
11372        extras.putString(key, value);
11373        return extras;
11374    }
11375
11376    private Bundle putMonitoringExtra(Bundle extras, String key, int value) {
11377        if (extras == null) {
11378            extras = new Bundle();
11379        }
11380        extras.putInt(key, value);
11381        return extras;
11382    }
11383
11384    private Bundle putMonitoringExtra(Bundle extras, String key, long value) {
11385        if (extras == null) {
11386            extras = new Bundle();
11387        }
11388        extras.putLong(key, value);
11389        return extras;
11390    }
11391
11392
11393    private Bundle putMonitoringExtra(Bundle extras, String key, boolean value) {
11394        if (extras == null) {
11395            extras = new Bundle();
11396        }
11397        extras.putBoolean(key, value);
11398        return extras;
11399    }
11400
11401    private static IBackupManagerMonitor monitorEvent(IBackupManagerMonitor monitor, int id,
11402            PackageInfo pkg, int category, Bundle extras) {
11403        if (monitor != null) {
11404            try {
11405                Bundle bundle = new Bundle();
11406                bundle.putInt(BackupManagerMonitor.EXTRA_LOG_EVENT_ID, id);
11407                bundle.putInt(BackupManagerMonitor.EXTRA_LOG_EVENT_CATEGORY, category);
11408                if (pkg != null) {
11409                    bundle.putString(EXTRA_LOG_EVENT_PACKAGE_NAME,
11410                            pkg.packageName);
11411                    bundle.putInt(BackupManagerMonitor.EXTRA_LOG_EVENT_PACKAGE_VERSION,
11412                            pkg.versionCode);
11413                }
11414                if (extras != null) {
11415                    bundle.putAll(extras);
11416                }
11417                monitor.onEvent(bundle);
11418                return monitor;
11419            } catch(RemoteException e) {
11420                if (DEBUG) {
11421                    Slog.w(TAG, "backup manager monitor went away");
11422                }
11423            }
11424        }
11425        return null;
11426    }
11427
11428    @Override
11429    public IBackupManager getBackupManagerBinder() {
11430        return mBackupManagerBinder;
11431    }
11432
11433}
11434