PageRenderTime 362ms CodeModel.GetById 21ms app.highlight 291ms RepoModel.GetById 1ms app.codeStats 2ms

/services/java/com/android/server/BackupManagerService.java

https://github.com/aizuzi/platform_frameworks_base
Java | 6288 lines | 4725 code | 698 blank | 865 comment | 1000 complexity | 7a00f18c337f24c4bb4331b40a664d70 MD5 | raw file
   1/*
   2 * Copyright (C) 2009 The Android Open Source Project
   3 *
   4 * Licensed under the Apache License, Version 2.0 (the "License");
   5 * you may not use this file except in compliance with the License.
   6 * You may obtain a copy of the License at
   7 *
   8 *      http://www.apache.org/licenses/LICENSE-2.0
   9 *
  10 * Unless required by applicable law or agreed to in writing, software
  11 * distributed under the License is distributed on an "AS IS" BASIS,
  12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 * See the License for the specific language governing permissions and
  14 * limitations under the License.
  15 */
  16
  17package com.android.server;
  18
  19import android.app.ActivityManagerNative;
  20import android.app.AlarmManager;
  21import android.app.AppGlobals;
  22import android.app.IActivityManager;
  23import android.app.IApplicationThread;
  24import android.app.IBackupAgent;
  25import android.app.PendingIntent;
  26import android.app.backup.BackupAgent;
  27import android.app.backup.BackupDataOutput;
  28import android.app.backup.FullBackup;
  29import android.app.backup.RestoreSet;
  30import android.app.backup.IBackupManager;
  31import android.app.backup.IFullBackupRestoreObserver;
  32import android.app.backup.IRestoreObserver;
  33import android.app.backup.IRestoreSession;
  34import android.content.ActivityNotFoundException;
  35import android.content.BroadcastReceiver;
  36import android.content.ComponentName;
  37import android.content.ContentResolver;
  38import android.content.Context;
  39import android.content.Intent;
  40import android.content.IntentFilter;
  41import android.content.ServiceConnection;
  42import android.content.pm.ApplicationInfo;
  43import android.content.pm.IPackageDataObserver;
  44import android.content.pm.IPackageDeleteObserver;
  45import android.content.pm.IPackageInstallObserver;
  46import android.content.pm.IPackageManager;
  47import android.content.pm.PackageInfo;
  48import android.content.pm.PackageManager;
  49import android.content.pm.ResolveInfo;
  50import android.content.pm.ServiceInfo;
  51import android.content.pm.Signature;
  52import android.content.pm.PackageManager.NameNotFoundException;
  53import android.database.ContentObserver;
  54import android.net.Uri;
  55import android.os.Binder;
  56import android.os.Build;
  57import android.os.Bundle;
  58import android.os.Environment;
  59import android.os.Handler;
  60import android.os.HandlerThread;
  61import android.os.IBinder;
  62import android.os.Looper;
  63import android.os.Message;
  64import android.os.ParcelFileDescriptor;
  65import android.os.PowerManager;
  66import android.os.Process;
  67import android.os.RemoteException;
  68import android.os.SELinux;
  69import android.os.ServiceManager;
  70import android.os.SystemClock;
  71import android.os.UserHandle;
  72import android.os.WorkSource;
  73import android.os.Environment.UserEnvironment;
  74import android.os.storage.IMountService;
  75import android.provider.Settings;
  76import android.util.EventLog;
  77import android.util.Log;
  78import android.util.Slog;
  79import android.util.SparseArray;
  80import android.util.StringBuilderPrinter;
  81
  82import com.android.internal.backup.BackupConstants;
  83import com.android.internal.backup.IBackupTransport;
  84import com.android.internal.backup.IObbBackupService;
  85import com.android.server.EventLogTags;
  86import com.android.server.PackageManagerBackupAgent.Metadata;
  87
  88import java.io.BufferedInputStream;
  89import java.io.BufferedOutputStream;
  90import java.io.ByteArrayOutputStream;
  91import java.io.DataInputStream;
  92import java.io.DataOutputStream;
  93import java.io.EOFException;
  94import java.io.File;
  95import java.io.FileDescriptor;
  96import java.io.FileInputStream;
  97import java.io.FileNotFoundException;
  98import java.io.FileOutputStream;
  99import java.io.IOException;
 100import java.io.InputStream;
 101import java.io.OutputStream;
 102import java.io.PrintWriter;
 103import java.io.RandomAccessFile;
 104import java.security.InvalidAlgorithmParameterException;
 105import java.security.InvalidKeyException;
 106import java.security.Key;
 107import java.security.NoSuchAlgorithmException;
 108import java.security.SecureRandom;
 109import java.security.spec.InvalidKeySpecException;
 110import java.security.spec.KeySpec;
 111import java.text.SimpleDateFormat;
 112import java.util.ArrayList;
 113import java.util.Arrays;
 114import java.util.Date;
 115import java.util.HashMap;
 116import java.util.HashSet;
 117import java.util.List;
 118import java.util.Map;
 119import java.util.Random;
 120import java.util.Set;
 121import java.util.concurrent.atomic.AtomicBoolean;
 122import java.util.zip.Deflater;
 123import java.util.zip.DeflaterOutputStream;
 124import java.util.zip.InflaterInputStream;
 125
 126import javax.crypto.BadPaddingException;
 127import javax.crypto.Cipher;
 128import javax.crypto.CipherInputStream;
 129import javax.crypto.CipherOutputStream;
 130import javax.crypto.IllegalBlockSizeException;
 131import javax.crypto.NoSuchPaddingException;
 132import javax.crypto.SecretKey;
 133import javax.crypto.SecretKeyFactory;
 134import javax.crypto.spec.IvParameterSpec;
 135import javax.crypto.spec.PBEKeySpec;
 136import javax.crypto.spec.SecretKeySpec;
 137
 138class BackupManagerService extends IBackupManager.Stub {
 139    private static final String TAG = "BackupManagerService";
 140    private static final boolean DEBUG = true;
 141    private static final boolean MORE_DEBUG = false;
 142
 143    // Historical and current algorithm names
 144    static final String PBKDF_CURRENT = "PBKDF2WithHmacSHA1";
 145    static final String PBKDF_FALLBACK = "PBKDF2WithHmacSHA1And8bit";
 146
 147    // Name and current contents version of the full-backup manifest file
 148    static final String BACKUP_MANIFEST_FILENAME = "_manifest";
 149    static final int BACKUP_MANIFEST_VERSION = 1;
 150    static final String BACKUP_FILE_HEADER_MAGIC = "ANDROID BACKUP\n";
 151    static final int BACKUP_FILE_VERSION = 2;
 152    static final int BACKUP_PW_FILE_VERSION = 2;
 153    static final boolean COMPRESS_FULL_BACKUPS = true; // should be true in production
 154
 155    static final String SHARED_BACKUP_AGENT_PACKAGE = "com.android.sharedstoragebackup";
 156    static final String SERVICE_ACTION_TRANSPORT_HOST = "android.backup.TRANSPORT_HOST";
 157
 158    // How often we perform a backup pass.  Privileged external callers can
 159    // trigger an immediate pass.
 160    private static final long BACKUP_INTERVAL = AlarmManager.INTERVAL_HOUR;
 161
 162    // Random variation in backup scheduling time to avoid server load spikes
 163    private static final int FUZZ_MILLIS = 5 * 60 * 1000;
 164
 165    // The amount of time between the initial provisioning of the device and
 166    // the first backup pass.
 167    private static final long FIRST_BACKUP_INTERVAL = 12 * AlarmManager.INTERVAL_HOUR;
 168
 169    // Retry interval for clear/init when the transport is unavailable
 170    private static final long TRANSPORT_RETRY_INTERVAL = 1 * AlarmManager.INTERVAL_HOUR;
 171
 172    private static final String RUN_BACKUP_ACTION = "android.app.backup.intent.RUN";
 173    private static final String RUN_INITIALIZE_ACTION = "android.app.backup.intent.INIT";
 174    private static final String RUN_CLEAR_ACTION = "android.app.backup.intent.CLEAR";
 175    private static final int MSG_RUN_BACKUP = 1;
 176    private static final int MSG_RUN_FULL_BACKUP = 2;
 177    private static final int MSG_RUN_RESTORE = 3;
 178    private static final int MSG_RUN_CLEAR = 4;
 179    private static final int MSG_RUN_INITIALIZE = 5;
 180    private static final int MSG_RUN_GET_RESTORE_SETS = 6;
 181    private static final int MSG_TIMEOUT = 7;
 182    private static final int MSG_RESTORE_TIMEOUT = 8;
 183    private static final int MSG_FULL_CONFIRMATION_TIMEOUT = 9;
 184    private static final int MSG_RUN_FULL_RESTORE = 10;
 185    private static final int MSG_RETRY_INIT = 11;
 186    private static final int MSG_RETRY_CLEAR = 12;
 187
 188    // backup task state machine tick
 189    static final int MSG_BACKUP_RESTORE_STEP = 20;
 190    static final int MSG_OP_COMPLETE = 21;
 191
 192    // Timeout interval for deciding that a bind or clear-data has taken too long
 193    static final long TIMEOUT_INTERVAL = 10 * 1000;
 194
 195    // Timeout intervals for agent backup & restore operations
 196    static final long TIMEOUT_BACKUP_INTERVAL = 30 * 1000;
 197    static final long TIMEOUT_FULL_BACKUP_INTERVAL = 5 * 60 * 1000;
 198    static final long TIMEOUT_SHARED_BACKUP_INTERVAL = 30 * 60 * 1000;
 199    static final long TIMEOUT_RESTORE_INTERVAL = 60 * 1000;
 200
 201    // User confirmation timeout for a full backup/restore operation.  It's this long in
 202    // order to give them time to enter the backup password.
 203    static final long TIMEOUT_FULL_CONFIRMATION = 60 * 1000;
 204
 205    private Context mContext;
 206    private PackageManager mPackageManager;
 207    IPackageManager mPackageManagerBinder;
 208    private IActivityManager mActivityManager;
 209    private PowerManager mPowerManager;
 210    private AlarmManager mAlarmManager;
 211    private IMountService mMountService;
 212    IBackupManager mBackupManagerBinder;
 213
 214    boolean mEnabled;   // access to this is synchronized on 'this'
 215    boolean mProvisioned;
 216    boolean mAutoRestore;
 217    PowerManager.WakeLock mWakelock;
 218    HandlerThread mHandlerThread;
 219    BackupHandler mBackupHandler;
 220    PendingIntent mRunBackupIntent, mRunInitIntent;
 221    BroadcastReceiver mRunBackupReceiver, mRunInitReceiver;
 222    // map UIDs to the set of participating packages under that UID
 223    final SparseArray<HashSet<String>> mBackupParticipants
 224            = new SparseArray<HashSet<String>>();
 225    // set of backup services that have pending changes
 226    class BackupRequest {
 227        public String packageName;
 228
 229        BackupRequest(String pkgName) {
 230            packageName = pkgName;
 231        }
 232
 233        public String toString() {
 234            return "BackupRequest{pkg=" + packageName + "}";
 235        }
 236    }
 237    // Backups that we haven't started yet.  Keys are package names.
 238    HashMap<String,BackupRequest> mPendingBackups
 239            = new HashMap<String,BackupRequest>();
 240
 241    // Pseudoname that we use for the Package Manager metadata "package"
 242    static final String PACKAGE_MANAGER_SENTINEL = "@pm@";
 243
 244    // locking around the pending-backup management
 245    final Object mQueueLock = new Object();
 246
 247    // The thread performing the sequence of queued backups binds to each app's agent
 248    // in succession.  Bind notifications are asynchronously delivered through the
 249    // Activity Manager; use this lock object to signal when a requested binding has
 250    // completed.
 251    final Object mAgentConnectLock = new Object();
 252    IBackupAgent mConnectedAgent;
 253    volatile boolean mBackupRunning;
 254    volatile boolean mConnecting;
 255    volatile long mLastBackupPass;
 256    volatile long mNextBackupPass;
 257
 258    // For debugging, we maintain a progress trace of operations during backup
 259    static final boolean DEBUG_BACKUP_TRACE = true;
 260    final List<String> mBackupTrace = new ArrayList<String>();
 261
 262    // A similar synchronization mechanism around clearing apps' data for restore
 263    final Object mClearDataLock = new Object();
 264    volatile boolean mClearingData;
 265
 266    // Transport bookkeeping
 267    final HashMap<String,String> mTransportNames
 268            = new HashMap<String,String>();             // component name -> registration name
 269    final HashMap<String,IBackupTransport> mTransports
 270            = new HashMap<String,IBackupTransport>();   // registration name -> binder
 271    final ArrayList<TransportConnection> mTransportConnections
 272            = new ArrayList<TransportConnection>();
 273    String mCurrentTransport;
 274    ActiveRestoreSession mActiveRestoreSession;
 275
 276    // Watch the device provisioning operation during setup
 277    ContentObserver mProvisionedObserver;
 278
 279    class ProvisionedObserver extends ContentObserver {
 280        public ProvisionedObserver(Handler handler) {
 281            super(handler);
 282        }
 283
 284        public void onChange(boolean selfChange) {
 285            final boolean wasProvisioned = mProvisioned;
 286            final boolean isProvisioned = deviceIsProvisioned();
 287            // latch: never unprovision
 288            mProvisioned = wasProvisioned || isProvisioned;
 289            if (MORE_DEBUG) {
 290                Slog.d(TAG, "Provisioning change: was=" + wasProvisioned
 291                        + " is=" + isProvisioned + " now=" + mProvisioned);
 292            }
 293
 294            synchronized (mQueueLock) {
 295                if (mProvisioned && !wasProvisioned && mEnabled) {
 296                    // we're now good to go, so start the backup alarms
 297                    if (MORE_DEBUG) Slog.d(TAG, "Now provisioned, so starting backups");
 298                    startBackupAlarmsLocked(FIRST_BACKUP_INTERVAL);
 299                }
 300            }
 301        }
 302    }
 303
 304    class RestoreGetSetsParams {
 305        public IBackupTransport transport;
 306        public ActiveRestoreSession session;
 307        public IRestoreObserver observer;
 308
 309        RestoreGetSetsParams(IBackupTransport _transport, ActiveRestoreSession _session,
 310                IRestoreObserver _observer) {
 311            transport = _transport;
 312            session = _session;
 313            observer = _observer;
 314        }
 315    }
 316
 317    class RestoreParams {
 318        public IBackupTransport transport;
 319        public String dirName;
 320        public IRestoreObserver observer;
 321        public long token;
 322        public PackageInfo pkgInfo;
 323        public int pmToken; // in post-install restore, the PM's token for this transaction
 324        public boolean needFullBackup;
 325        public String[] filterSet;
 326
 327        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
 328                long _token, PackageInfo _pkg, int _pmToken, boolean _needFullBackup) {
 329            transport = _transport;
 330            dirName = _dirName;
 331            observer = _obs;
 332            token = _token;
 333            pkgInfo = _pkg;
 334            pmToken = _pmToken;
 335            needFullBackup = _needFullBackup;
 336            filterSet = null;
 337        }
 338
 339        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
 340                long _token, boolean _needFullBackup) {
 341            transport = _transport;
 342            dirName = _dirName;
 343            observer = _obs;
 344            token = _token;
 345            pkgInfo = null;
 346            pmToken = 0;
 347            needFullBackup = _needFullBackup;
 348            filterSet = null;
 349        }
 350
 351        RestoreParams(IBackupTransport _transport, String _dirName, IRestoreObserver _obs,
 352                long _token, String[] _filterSet, boolean _needFullBackup) {
 353            transport = _transport;
 354            dirName = _dirName;
 355            observer = _obs;
 356            token = _token;
 357            pkgInfo = null;
 358            pmToken = 0;
 359            needFullBackup = _needFullBackup;
 360            filterSet = _filterSet;
 361        }
 362    }
 363
 364    class ClearParams {
 365        public IBackupTransport transport;
 366        public PackageInfo packageInfo;
 367
 368        ClearParams(IBackupTransport _transport, PackageInfo _info) {
 369            transport = _transport;
 370            packageInfo = _info;
 371        }
 372    }
 373
 374    class ClearRetryParams {
 375        public String transportName;
 376        public String packageName;
 377
 378        ClearRetryParams(String transport, String pkg) {
 379            transportName = transport;
 380            packageName = pkg;
 381        }
 382    }
 383
 384    class FullParams {
 385        public ParcelFileDescriptor fd;
 386        public final AtomicBoolean latch;
 387        public IFullBackupRestoreObserver observer;
 388        public String curPassword;     // filled in by the confirmation step
 389        public String encryptPassword;
 390
 391        FullParams() {
 392            latch = new AtomicBoolean(false);
 393        }
 394    }
 395
 396    class FullBackupParams extends FullParams {
 397        public boolean includeApks;
 398        public boolean includeObbs;
 399        public boolean includeShared;
 400        public boolean allApps;
 401        public boolean includeSystem;
 402        public String[] packages;
 403
 404        FullBackupParams(ParcelFileDescriptor output, boolean saveApks, boolean saveObbs,
 405                boolean saveShared, boolean doAllApps, boolean doSystem, String[] pkgList) {
 406            fd = output;
 407            includeApks = saveApks;
 408            includeObbs = saveObbs;
 409            includeShared = saveShared;
 410            allApps = doAllApps;
 411            includeSystem = doSystem;
 412            packages = pkgList;
 413        }
 414    }
 415
 416    class FullRestoreParams extends FullParams {
 417        FullRestoreParams(ParcelFileDescriptor input) {
 418            fd = input;
 419        }
 420    }
 421
 422    // Bookkeeping of in-flight operations for timeout etc. purposes.  The operation
 423    // token is the index of the entry in the pending-operations list.
 424    static final int OP_PENDING = 0;
 425    static final int OP_ACKNOWLEDGED = 1;
 426    static final int OP_TIMEOUT = -1;
 427
 428    class Operation {
 429        public int state;
 430        public BackupRestoreTask callback;
 431
 432        Operation(int initialState, BackupRestoreTask callbackObj) {
 433            state = initialState;
 434            callback = callbackObj;
 435        }
 436    }
 437    final SparseArray<Operation> mCurrentOperations = new SparseArray<Operation>();
 438    final Object mCurrentOpLock = new Object();
 439    final Random mTokenGenerator = new Random();
 440
 441    final SparseArray<FullParams> mFullConfirmations = new SparseArray<FullParams>();
 442
 443    // Where we keep our journal files and other bookkeeping
 444    File mBaseStateDir;
 445    File mDataDir;
 446    File mJournalDir;
 447    File mJournal;
 448
 449    // Backup password, if any, and the file where it's saved.  What is stored is not the
 450    // password text itself; it's the result of a PBKDF2 hash with a randomly chosen (but
 451    // persisted) salt.  Validation is performed by running the challenge text through the
 452    // same PBKDF2 cycle with the persisted salt; if the resulting derived key string matches
 453    // the saved hash string, then the challenge text matches the originally supplied
 454    // password text.
 455    private final SecureRandom mRng = new SecureRandom();
 456    private String mPasswordHash;
 457    private File mPasswordHashFile;
 458    private int mPasswordVersion;
 459    private File mPasswordVersionFile;
 460    private byte[] mPasswordSalt;
 461
 462    // Configuration of PBKDF2 that we use for generating pw hashes and intermediate keys
 463    static final int PBKDF2_HASH_ROUNDS = 10000;
 464    static final int PBKDF2_KEY_SIZE = 256;     // bits
 465    static final int PBKDF2_SALT_SIZE = 512;    // bits
 466    static final String ENCRYPTION_ALGORITHM_NAME = "AES-256";
 467
 468    // Keep a log of all the apps we've ever backed up, and what the
 469    // dataset tokens are for both the current backup dataset and
 470    // the ancestral dataset.
 471    private File mEverStored;
 472    HashSet<String> mEverStoredApps = new HashSet<String>();
 473
 474    static final int CURRENT_ANCESTRAL_RECORD_VERSION = 1;  // increment when the schema changes
 475    File mTokenFile;
 476    Set<String> mAncestralPackages = null;
 477    long mAncestralToken = 0;
 478    long mCurrentToken = 0;
 479
 480    // Persistently track the need to do a full init
 481    static final String INIT_SENTINEL_FILE_NAME = "_need_init_";
 482    HashSet<String> mPendingInits = new HashSet<String>();  // transport names
 483
 484    // Utility: build a new random integer token
 485    int generateToken() {
 486        int token;
 487        do {
 488            synchronized (mTokenGenerator) {
 489                token = mTokenGenerator.nextInt();
 490            }
 491        } while (token < 0);
 492        return token;
 493    }
 494
 495    // ----- Asynchronous backup/restore handler thread -----
 496
 497    private class BackupHandler extends Handler {
 498        public BackupHandler(Looper looper) {
 499            super(looper);
 500        }
 501
 502        public void handleMessage(Message msg) {
 503
 504            switch (msg.what) {
 505            case MSG_RUN_BACKUP:
 506            {
 507                mLastBackupPass = System.currentTimeMillis();
 508                mNextBackupPass = mLastBackupPass + BACKUP_INTERVAL;
 509
 510                IBackupTransport transport = getTransport(mCurrentTransport);
 511                if (transport == null) {
 512                    Slog.v(TAG, "Backup requested but no transport available");
 513                    synchronized (mQueueLock) {
 514                        mBackupRunning = false;
 515                    }
 516                    mWakelock.release();
 517                    break;
 518                }
 519
 520                // snapshot the pending-backup set and work on that
 521                ArrayList<BackupRequest> queue = new ArrayList<BackupRequest>();
 522                File oldJournal = mJournal;
 523                synchronized (mQueueLock) {
 524                    // Do we have any work to do?  Construct the work queue
 525                    // then release the synchronization lock to actually run
 526                    // the backup.
 527                    if (mPendingBackups.size() > 0) {
 528                        for (BackupRequest b: mPendingBackups.values()) {
 529                            queue.add(b);
 530                        }
 531                        if (DEBUG) Slog.v(TAG, "clearing pending backups");
 532                        mPendingBackups.clear();
 533
 534                        // Start a new backup-queue journal file too
 535                        mJournal = null;
 536
 537                    }
 538                }
 539
 540                // At this point, we have started a new journal file, and the old
 541                // file identity is being passed to the backup processing task.
 542                // When it completes successfully, that old journal file will be
 543                // deleted.  If we crash prior to that, the old journal is parsed
 544                // at next boot and the journaled requests fulfilled.
 545                boolean staged = true;
 546                if (queue.size() > 0) {
 547                    // Spin up a backup state sequence and set it running
 548                    try {
 549                        String dirName = transport.transportDirName();
 550                        PerformBackupTask pbt = new PerformBackupTask(transport, dirName,
 551                                queue, oldJournal);
 552                        Message pbtMessage = obtainMessage(MSG_BACKUP_RESTORE_STEP, pbt);
 553                        sendMessage(pbtMessage);
 554                    } catch (RemoteException e) {
 555                        // unable to ask the transport its dir name -- transient failure, since
 556                        // the above check succeeded.  Try again next time.
 557                        Slog.e(TAG, "Transport became unavailable attempting backup");
 558                        staged = false;
 559                    }
 560                } else {
 561                    Slog.v(TAG, "Backup requested but nothing pending");
 562                    staged = false;
 563                }
 564
 565                if (!staged) {
 566                    // if we didn't actually hand off the wakelock, rewind until next time
 567                    synchronized (mQueueLock) {
 568                        mBackupRunning = false;
 569                    }
 570                    mWakelock.release();
 571                }
 572                break;
 573            }
 574
 575            case MSG_BACKUP_RESTORE_STEP:
 576            {
 577                try {
 578                    BackupRestoreTask task = (BackupRestoreTask) msg.obj;
 579                    if (MORE_DEBUG) Slog.v(TAG, "Got next step for " + task + ", executing");
 580                    task.execute();
 581                } catch (ClassCastException e) {
 582                    Slog.e(TAG, "Invalid backup task in flight, obj=" + msg.obj);
 583                }
 584                break;
 585            }
 586
 587            case MSG_OP_COMPLETE:
 588            {
 589                try {
 590                    BackupRestoreTask task = (BackupRestoreTask) msg.obj;
 591                    task.operationComplete();
 592                } catch (ClassCastException e) {
 593                    Slog.e(TAG, "Invalid completion in flight, obj=" + msg.obj);
 594                }
 595                break;
 596            }
 597
 598            case MSG_RUN_FULL_BACKUP:
 599            {
 600                // TODO: refactor full backup to be a looper-based state machine
 601                // similar to normal backup/restore.
 602                FullBackupParams params = (FullBackupParams)msg.obj;
 603                PerformFullBackupTask task = new PerformFullBackupTask(params.fd,
 604                        params.observer, params.includeApks, params.includeObbs,
 605                        params.includeShared, params.curPassword, params.encryptPassword,
 606                        params.allApps, params.includeSystem, params.packages, params.latch);
 607                (new Thread(task)).start();
 608                break;
 609            }
 610
 611            case MSG_RUN_RESTORE:
 612            {
 613                RestoreParams params = (RestoreParams)msg.obj;
 614                Slog.d(TAG, "MSG_RUN_RESTORE observer=" + params.observer);
 615                PerformRestoreTask task = new PerformRestoreTask(
 616                        params.transport, params.dirName, params.observer,
 617                        params.token, params.pkgInfo, params.pmToken,
 618                        params.needFullBackup, params.filterSet);
 619                Message restoreMsg = obtainMessage(MSG_BACKUP_RESTORE_STEP, task);
 620                sendMessage(restoreMsg);
 621                break;
 622            }
 623
 624            case MSG_RUN_FULL_RESTORE:
 625            {
 626                // TODO: refactor full restore to be a looper-based state machine
 627                // similar to normal backup/restore.
 628                FullRestoreParams params = (FullRestoreParams)msg.obj;
 629                PerformFullRestoreTask task = new PerformFullRestoreTask(params.fd,
 630                        params.curPassword, params.encryptPassword,
 631                        params.observer, params.latch);
 632                (new Thread(task)).start();
 633                break;
 634            }
 635
 636            case MSG_RUN_CLEAR:
 637            {
 638                ClearParams params = (ClearParams)msg.obj;
 639                (new PerformClearTask(params.transport, params.packageInfo)).run();
 640                break;
 641            }
 642
 643            case MSG_RETRY_CLEAR:
 644            {
 645                // reenqueues if the transport remains unavailable
 646                ClearRetryParams params = (ClearRetryParams)msg.obj;
 647                clearBackupData(params.transportName, params.packageName);
 648                break;
 649            }
 650
 651            case MSG_RUN_INITIALIZE:
 652            {
 653                HashSet<String> queue;
 654
 655                // Snapshot the pending-init queue and work on that
 656                synchronized (mQueueLock) {
 657                    queue = new HashSet<String>(mPendingInits);
 658                    mPendingInits.clear();
 659                }
 660
 661                (new PerformInitializeTask(queue)).run();
 662                break;
 663            }
 664
 665            case MSG_RETRY_INIT:
 666            {
 667                synchronized (mQueueLock) {
 668                    recordInitPendingLocked(msg.arg1 != 0, (String)msg.obj);
 669                    mAlarmManager.set(AlarmManager.RTC_WAKEUP, System.currentTimeMillis(),
 670                            mRunInitIntent);
 671                }
 672                break;
 673            }
 674
 675            case MSG_RUN_GET_RESTORE_SETS:
 676            {
 677                // Like other async operations, this is entered with the wakelock held
 678                RestoreSet[] sets = null;
 679                RestoreGetSetsParams params = (RestoreGetSetsParams)msg.obj;
 680                try {
 681                    sets = params.transport.getAvailableRestoreSets();
 682                    // cache the result in the active session
 683                    synchronized (params.session) {
 684                        params.session.mRestoreSets = sets;
 685                    }
 686                    if (sets == null) EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
 687                } catch (Exception e) {
 688                    Slog.e(TAG, "Error from transport getting set list");
 689                } finally {
 690                    if (params.observer != null) {
 691                        try {
 692                            params.observer.restoreSetsAvailable(sets);
 693                        } catch (RemoteException re) {
 694                            Slog.e(TAG, "Unable to report listing to observer");
 695                        } catch (Exception e) {
 696                            Slog.e(TAG, "Restore observer threw", e);
 697                        }
 698                    }
 699
 700                    // Done: reset the session timeout clock
 701                    removeMessages(MSG_RESTORE_TIMEOUT);
 702                    sendEmptyMessageDelayed(MSG_RESTORE_TIMEOUT, TIMEOUT_RESTORE_INTERVAL);
 703
 704                    mWakelock.release();
 705                }
 706                break;
 707            }
 708
 709            case MSG_TIMEOUT:
 710            {
 711                handleTimeout(msg.arg1, msg.obj);
 712                break;
 713            }
 714
 715            case MSG_RESTORE_TIMEOUT:
 716            {
 717                synchronized (BackupManagerService.this) {
 718                    if (mActiveRestoreSession != null) {
 719                        // Client app left the restore session dangling.  We know that it
 720                        // can't be in the middle of an actual restore operation because
 721                        // the timeout is suspended while a restore is in progress.  Clean
 722                        // up now.
 723                        Slog.w(TAG, "Restore session timed out; aborting");
 724                        post(mActiveRestoreSession.new EndRestoreRunnable(
 725                                BackupManagerService.this, mActiveRestoreSession));
 726                    }
 727                }
 728            }
 729
 730            case MSG_FULL_CONFIRMATION_TIMEOUT:
 731            {
 732                synchronized (mFullConfirmations) {
 733                    FullParams params = mFullConfirmations.get(msg.arg1);
 734                    if (params != null) {
 735                        Slog.i(TAG, "Full backup/restore timed out waiting for user confirmation");
 736
 737                        // Release the waiter; timeout == completion
 738                        signalFullBackupRestoreCompletion(params);
 739
 740                        // Remove the token from the set
 741                        mFullConfirmations.delete(msg.arg1);
 742
 743                        // Report a timeout to the observer, if any
 744                        if (params.observer != null) {
 745                            try {
 746                                params.observer.onTimeout();
 747                            } catch (RemoteException e) {
 748                                /* don't care if the app has gone away */
 749                            }
 750                        }
 751                    } else {
 752                        Slog.d(TAG, "couldn't find params for token " + msg.arg1);
 753                    }
 754                }
 755                break;
 756            }
 757            }
 758        }
 759    }
 760
 761    // ----- Debug-only backup operation trace -----
 762    void addBackupTrace(String s) {
 763        if (DEBUG_BACKUP_TRACE) {
 764            synchronized (mBackupTrace) {
 765                mBackupTrace.add(s);
 766            }
 767        }
 768    }
 769
 770    void clearBackupTrace() {
 771        if (DEBUG_BACKUP_TRACE) {
 772            synchronized (mBackupTrace) {
 773                mBackupTrace.clear();
 774            }
 775        }
 776    }
 777
 778    // ----- Main service implementation -----
 779
 780    public BackupManagerService(Context context) {
 781        mContext = context;
 782        mPackageManager = context.getPackageManager();
 783        mPackageManagerBinder = AppGlobals.getPackageManager();
 784        mActivityManager = ActivityManagerNative.getDefault();
 785
 786        mAlarmManager = (AlarmManager) context.getSystemService(Context.ALARM_SERVICE);
 787        mPowerManager = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
 788        mMountService = IMountService.Stub.asInterface(ServiceManager.getService("mount"));
 789
 790        mBackupManagerBinder = asInterface(asBinder());
 791
 792        // spin up the backup/restore handler thread
 793        mHandlerThread = new HandlerThread("backup", Process.THREAD_PRIORITY_BACKGROUND);
 794        mHandlerThread.start();
 795        mBackupHandler = new BackupHandler(mHandlerThread.getLooper());
 796
 797        // Set up our bookkeeping
 798        final ContentResolver resolver = context.getContentResolver();
 799        boolean areEnabled = Settings.Secure.getInt(resolver,
 800                Settings.Secure.BACKUP_ENABLED, 0) != 0;
 801        mProvisioned = Settings.Global.getInt(resolver,
 802                Settings.Global.DEVICE_PROVISIONED, 0) != 0;
 803        mAutoRestore = Settings.Secure.getInt(resolver,
 804                Settings.Secure.BACKUP_AUTO_RESTORE, 1) != 0;
 805
 806        mProvisionedObserver = new ProvisionedObserver(mBackupHandler);
 807        resolver.registerContentObserver(
 808                Settings.Global.getUriFor(Settings.Global.DEVICE_PROVISIONED),
 809                false, mProvisionedObserver);
 810
 811        // If Encrypted file systems is enabled or disabled, this call will return the
 812        // correct directory.
 813        mBaseStateDir = new File(Environment.getSecureDataDirectory(), "backup");
 814        mBaseStateDir.mkdirs();
 815        if (!SELinux.restorecon(mBaseStateDir)) {
 816            Slog.e(TAG, "SELinux restorecon failed on " + mBaseStateDir);
 817        }
 818        mDataDir = Environment.getDownloadCacheDirectory();
 819
 820        mPasswordVersion = 1;       // unless we hear otherwise
 821        mPasswordVersionFile = new File(mBaseStateDir, "pwversion");
 822        if (mPasswordVersionFile.exists()) {
 823            FileInputStream fin = null;
 824            DataInputStream in = null;
 825            try {
 826                fin = new FileInputStream(mPasswordVersionFile);
 827                in = new DataInputStream(fin);
 828                mPasswordVersion = in.readInt();
 829            } catch (IOException e) {
 830                Slog.e(TAG, "Unable to read backup pw version");
 831            } finally {
 832                try {
 833                    if (in != null) in.close();
 834                    if (fin != null) fin.close();
 835                } catch (IOException e) {
 836                    Slog.w(TAG, "Error closing pw version files");
 837                }
 838            }
 839        }
 840
 841        mPasswordHashFile = new File(mBaseStateDir, "pwhash");
 842        if (mPasswordHashFile.exists()) {
 843            FileInputStream fin = null;
 844            DataInputStream in = null;
 845            try {
 846                fin = new FileInputStream(mPasswordHashFile);
 847                in = new DataInputStream(new BufferedInputStream(fin));
 848                // integer length of the salt array, followed by the salt,
 849                // then the hex pw hash string
 850                int saltLen = in.readInt();
 851                byte[] salt = new byte[saltLen];
 852                in.readFully(salt);
 853                mPasswordHash = in.readUTF();
 854                mPasswordSalt = salt;
 855            } catch (IOException e) {
 856                Slog.e(TAG, "Unable to read saved backup pw hash");
 857            } finally {
 858                try {
 859                    if (in != null) in.close();
 860                    if (fin != null) fin.close();
 861                } catch (IOException e) {
 862                    Slog.w(TAG, "Unable to close streams");
 863                }
 864            }
 865        }
 866
 867        // Alarm receivers for scheduled backups & initialization operations
 868        mRunBackupReceiver = new RunBackupReceiver();
 869        IntentFilter filter = new IntentFilter();
 870        filter.addAction(RUN_BACKUP_ACTION);
 871        context.registerReceiver(mRunBackupReceiver, filter,
 872                android.Manifest.permission.BACKUP, null);
 873
 874        mRunInitReceiver = new RunInitializeReceiver();
 875        filter = new IntentFilter();
 876        filter.addAction(RUN_INITIALIZE_ACTION);
 877        context.registerReceiver(mRunInitReceiver, filter,
 878                android.Manifest.permission.BACKUP, null);
 879
 880        Intent backupIntent = new Intent(RUN_BACKUP_ACTION);
 881        backupIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
 882        mRunBackupIntent = PendingIntent.getBroadcast(context, MSG_RUN_BACKUP, backupIntent, 0);
 883
 884        Intent initIntent = new Intent(RUN_INITIALIZE_ACTION);
 885        backupIntent.addFlags(Intent.FLAG_RECEIVER_REGISTERED_ONLY);
 886        mRunInitIntent = PendingIntent.getBroadcast(context, MSG_RUN_INITIALIZE, initIntent, 0);
 887
 888        // Set up the backup-request journaling
 889        mJournalDir = new File(mBaseStateDir, "pending");
 890        mJournalDir.mkdirs();   // creates mBaseStateDir along the way
 891        mJournal = null;        // will be created on first use
 892
 893        // Set up the various sorts of package tracking we do
 894        initPackageTracking();
 895
 896        // Build our mapping of uid to backup client services.  This implicitly
 897        // schedules a backup pass on the Package Manager metadata the first
 898        // time anything needs to be backed up.
 899        synchronized (mBackupParticipants) {
 900            addPackageParticipantsLocked(null);
 901        }
 902
 903        // Set up our transport options and initialize the default transport
 904        // TODO: Don't create transports that we don't need to?
 905        mCurrentTransport = Settings.Secure.getString(context.getContentResolver(),
 906                Settings.Secure.BACKUP_TRANSPORT);
 907        if ("".equals(mCurrentTransport)) {
 908            mCurrentTransport = null;
 909        }
 910        if (DEBUG) Slog.v(TAG, "Starting with transport " + mCurrentTransport);
 911
 912        // Find transport hosts and bind to their services
 913        Intent transportServiceIntent = new Intent(SERVICE_ACTION_TRANSPORT_HOST);
 914        List<ResolveInfo> hosts = mPackageManager.queryIntentServicesAsUser(
 915                transportServiceIntent, 0, UserHandle.USER_OWNER);
 916        if (DEBUG) {
 917            Slog.v(TAG, "Found transports: " + ((hosts == null) ? "null" : hosts.size()));
 918        }
 919        if (hosts != null) {
 920            if (MORE_DEBUG) {
 921                for (int i = 0; i < hosts.size(); i++) {
 922                    ServiceInfo info = hosts.get(i).serviceInfo;
 923                    Slog.v(TAG, "   " + info.packageName + "/" + info.name);
 924                }
 925            }
 926            for (int i = 0; i < hosts.size(); i++) {
 927                try {
 928                    ServiceInfo info = hosts.get(i).serviceInfo;
 929                    PackageInfo packInfo = mPackageManager.getPackageInfo(info.packageName, 0);
 930                    if ((packInfo.applicationInfo.flags & ApplicationInfo.FLAG_PRIVILEGED) != 0) {
 931                        ComponentName svcName = new ComponentName(info.packageName, info.name);
 932                        if (DEBUG) {
 933                            Slog.i(TAG, "Binding to transport host " + svcName);
 934                        }
 935                        Intent intent = new Intent(transportServiceIntent);
 936                        intent.setComponent(svcName);
 937                        TransportConnection connection = new TransportConnection();
 938                        mTransportConnections.add(connection);
 939                        context.bindServiceAsUser(intent,
 940                                connection, Context.BIND_AUTO_CREATE,
 941                                UserHandle.OWNER);
 942                    } else {
 943                        Slog.w(TAG, "Transport package not privileged: " + info.packageName);
 944                    }
 945                } catch (Exception e) {
 946                    Slog.e(TAG, "Problem resolving transport service: " + e.getMessage());
 947                }
 948            }
 949        }
 950
 951        // Now that we know about valid backup participants, parse any
 952        // leftover journal files into the pending backup set
 953        parseLeftoverJournals();
 954
 955        // Power management
 956        mWakelock = mPowerManager.newWakeLock(PowerManager.PARTIAL_WAKE_LOCK, "*backup*");
 957
 958        // Start the backup passes going
 959        setBackupEnabled(areEnabled);
 960    }
 961
 962    private class RunBackupReceiver extends BroadcastReceiver {
 963        public void onReceive(Context context, Intent intent) {
 964            if (RUN_BACKUP_ACTION.equals(intent.getAction())) {
 965                synchronized (mQueueLock) {
 966                    if (mPendingInits.size() > 0) {
 967                        // If there are pending init operations, we process those
 968                        // and then settle into the usual periodic backup schedule.
 969                        if (DEBUG) Slog.v(TAG, "Init pending at scheduled backup");
 970                        try {
 971                            mAlarmManager.cancel(mRunInitIntent);
 972                            mRunInitIntent.send();
 973                        } catch (PendingIntent.CanceledException ce) {
 974                            Slog.e(TAG, "Run init intent cancelled");
 975                            // can't really do more than bail here
 976                        }
 977                    } else {
 978                        // Don't run backups now if we're disabled or not yet
 979                        // fully set up.
 980                        if (mEnabled && mProvisioned) {
 981                            if (!mBackupRunning) {
 982                                if (DEBUG) Slog.v(TAG, "Running a backup pass");
 983
 984                                // Acquire the wakelock and pass it to the backup thread.  it will
 985                                // be released once backup concludes.
 986                                mBackupRunning = true;
 987                                mWakelock.acquire();
 988
 989                                Message msg = mBackupHandler.obtainMessage(MSG_RUN_BACKUP);
 990                                mBackupHandler.sendMessage(msg);
 991                            } else {
 992                                Slog.i(TAG, "Backup time but one already running");
 993                            }
 994                        } else {
 995                            Slog.w(TAG, "Backup pass but e=" + mEnabled + " p=" + mProvisioned);
 996                        }
 997                    }
 998                }
 999            }
1000        }
1001    }
1002
1003    private class RunInitializeReceiver extends BroadcastReceiver {
1004        public void onReceive(Context context, Intent intent) {
1005            if (RUN_INITIALIZE_ACTION.equals(intent.getAction())) {
1006                synchronized (mQueueLock) {
1007                    if (DEBUG) Slog.v(TAG, "Running a device init");
1008
1009                    // Acquire the wakelock and pass it to the init thread.  it will
1010                    // be released once init concludes.
1011                    mWakelock.acquire();
1012
1013                    Message msg = mBackupHandler.obtainMessage(MSG_RUN_INITIALIZE);
1014                    mBackupHandler.sendMessage(msg);
1015                }
1016            }
1017        }
1018    }
1019
1020    private void initPackageTracking() {
1021        if (DEBUG) Slog.v(TAG, "Initializing package tracking");
1022
1023        // Remember our ancestral dataset
1024        mTokenFile = new File(mBaseStateDir, "ancestral");
1025        try {
1026            RandomAccessFile tf = new RandomAccessFile(mTokenFile, "r");
1027            int version = tf.readInt();
1028            if (version == CURRENT_ANCESTRAL_RECORD_VERSION) {
1029                mAncestralToken = tf.readLong();
1030                mCurrentToken = tf.readLong();
1031
1032                int numPackages = tf.readInt();
1033                if (numPackages >= 0) {
1034                    mAncestralPackages = new HashSet<String>();
1035                    for (int i = 0; i < numPackages; i++) {
1036                        String pkgName = tf.readUTF();
1037                        mAncestralPackages.add(pkgName);
1038                    }
1039                }
1040            }
1041            tf.close();
1042        } catch (FileNotFoundException fnf) {
1043            // Probably innocuous
1044            Slog.v(TAG, "No ancestral data");
1045        } catch (IOException e) {
1046            Slog.w(TAG, "Unable to read token file", e);
1047        }
1048
1049        // Keep a log of what apps we've ever backed up.  Because we might have
1050        // rebooted in the middle of an operation that was removing something from
1051        // this log, we sanity-check its contents here and reconstruct it.
1052        mEverStored = new File(mBaseStateDir, "processed");
1053        File tempProcessedFile = new File(mBaseStateDir, "processed.new");
1054
1055        // If we were in the middle of removing something from the ever-backed-up
1056        // file, there might be a transient "processed.new" file still present.
1057        // Ignore it -- we'll validate "processed" against the current package set.
1058        if (tempProcessedFile.exists()) {
1059            tempProcessedFile.delete();
1060        }
1061
1062        // If there are previous contents, parse them out then start a new
1063        // file to continue the recordkeeping.
1064        if (mEverStored.exists()) {
1065            RandomAccessFile temp = null;
1066            RandomAccessFile in = null;
1067
1068            try {
1069                temp = new RandomAccessFile(tempProcessedFile, "rws");
1070                in = new RandomAccessFile(mEverStored, "r");
1071
1072                while (true) {
1073                    PackageInfo info;
1074                    String pkg = in.readUTF();
1075                    try {
1076                        info = mPackageManager.getPackageInfo(pkg, 0);
1077                        mEverStoredApps.add(pkg);
1078                        temp.writeUTF(pkg);
1079                        if (MORE_DEBUG) Slog.v(TAG, "   + " + pkg);
1080                    } catch (NameNotFoundException e) {
1081                        // nope, this package was uninstalled; don't include it
1082                        if (MORE_DEBUG) Slog.v(TAG, "   - " + pkg);
1083                    }
1084                }
1085            } catch (EOFException e) {
1086                // Once we've rewritten the backup history log, atomically replace the
1087                // old one with the new one then reopen the file for continuing use.
1088                if (!tempProcessedFile.renameTo(mEverStored)) {
1089                    Slog.e(TAG, "Error renaming " + tempProcessedFile + " to " + mEverStored);
1090                }
1091            } catch (IOException e) {
1092                Slog.e(TAG, "Error in processed file", e);
1093            } finally {
1094                try { if (temp != null) temp.close(); } catch (IOException e) {}
1095                try { if (in != null) in.close(); } catch (IOException e) {}
1096            }
1097        }
1098
1099        // Register for broadcasts about package install, etc., so we can
1100        // update the provider list.
1101        IntentFilter filter = new IntentFilter();
1102        filter.addAction(Intent.ACTION_PACKAGE_ADDED);
1103        filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
1104        filter.addDataScheme("package");
1105        mContext.registerReceiver(mBroadcastReceiver, filter);
1106        // Register for events related to sdcard installation.
1107        IntentFilter sdFilter = new IntentFilter();
1108        sdFilter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE);
1109        sdFilter.addAction(Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE);
1110        mContext.registerReceiver(mBroadcastReceiver, sdFilter);
1111    }
1112
1113    private void parseLeftoverJournals() {
1114        for (File f : mJournalDir.listFiles()) {
1115            if (mJournal == null || f.compareTo(mJournal) != 0) {
1116                // This isn't the current journal, so it must be a leftover.  Read
1117                // out the package names mentioned there and schedule them for
1118                // backup.
1119                RandomAccessFile in = null;
1120                try {
1121                    Slog.i(TAG, "Found stale backup journal, scheduling");
1122                    in = new RandomAccessFile(f, "r");
1123                    while (true) {
1124                        String packageName = in.readUTF();
1125                        Slog.i(TAG, "  " + packageName);
1126                        dataChangedImpl(packageName);
1127                    }
1128                } catch (EOFException e) {
1129                    // no more data; we're done
1130                } catch (Exception e) {
1131                    Slog.e(TAG, "Can't read " + f, e);
1132                } finally {
1133                    // close/delete the file
1134                    try { if (in != null) in.close(); } catch (IOException e) {}
1135                    f.delete();
1136                }
1137            }
1138        }
1139    }
1140
1141    private SecretKey buildPasswordKey(String algorithm, String pw, byte[] salt, int rounds) {
1142        return buildCharArrayKey(algorithm, pw.toCharArray(), salt, rounds);
1143    }
1144
1145    private SecretKey buildCharArrayKey(String algorithm, char[] pwArray, byte[] salt, int rounds) {
1146        try {
1147            SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(algorithm);
1148            KeySpec ks = new PBEKeySpec(pwArray, salt, rounds, PBKDF2_KEY_SIZE);
1149            return keyFactory.generateSecret(ks);
1150        } catch (InvalidKeySpecException e) {
1151            Slog.e(TAG, "Invalid key spec for PBKDF2!");
1152        } catch (NoSuchAlgorithmException e) {
1153            Slog.e(TAG, "PBKDF2 unavailable!");
1154        }
1155        return null;
1156    }
1157
1158    private String buildPasswordHash(String algorithm, String pw, byte[] salt, int rounds) {
1159        SecretKey key = buildPasswordKey(algorithm, pw, salt, rounds);
1160        if (key != null) {
1161            return byteArrayToHex(key.getEncoded());
1162        }
1163        return null;
1164    }
1165
1166    private String byteArrayToHex(byte[] data) {
1167        StringBuilder buf = new StringBuilder(data.length * 2);
1168        for (int i = 0; i < data.length; i++) {
1169            buf.append(Byte.toHexString(data[i], true));
1170        }
1171        return buf.toString();
1172    }
1173
1174    private byte[] hexToByteArray(String digits) {
1175        final int bytes = digits.length() / 2;
1176        if (2*bytes != digits.length()) {
1177            throw new IllegalArgumentException("Hex string must have an even number of digits");
1178        }
1179
1180        byte[] result = new byte[bytes];
1181        for (int i = 0; i < digits.length(); i += 2) {
1182            result[i/2] = (byte) Integer.parseInt(digits.substring(i, i+2), 16);
1183        }
1184        return result;
1185    }
1186
1187    private byte[] makeKeyChecksum(String algorithm, byte[] pwBytes, byte[] salt, int rounds) {
1188        char[] mkAsChar = new char[pwBytes.length];
1189        for (int i = 0; i < pwBytes.length; i++) {
1190            mkAsChar[i] = (char) pwBytes[i];
1191        }
1192
1193        Key checksum = buildCharArrayKey(algorithm, mkAsChar, salt, rounds);
1194        return checksum.getEncoded();
1195    }
1196
1197    // Used for generating random salts or passwords
1198    private byte[] randomBytes(int bits) {
1199        byte[] array = new byte[bits / 8];
1200        mRng.nextBytes(array);
1201        return array;
1202    }
1203
1204    // Backup password management
1205    boolean passwordMatchesSaved(String algorithm, String candidatePw, int rounds) {
1206        // First, on an encrypted device we require matching the device pw
1207        final boolean isEncrypted;
1208        try {
1209            isEncrypted = (mMountService.getEncryptionState() != MountService.ENCRYPTION_STATE_NONE);
1210            if (isEncrypted) {
1211                if (DEBUG) {
1212                    Slog.i(TAG, "Device encrypted; verifying against device data pw");
1213                }
1214                // 0 means the password validated
1215                // -2 means device not encrypted
1216                // Any other result is either password failure or an error condition,
1217                // so we refuse the match
1218                final int result = mMountService.verifyEncryptionPassword(candidatePw);
1219                if (result == 0) {
1220                    if (MORE_DEBUG) Slog.d(TAG, "Pw verifies");
1221                    return true;
1222                } else if (result != -2) {
1223                    if (MORE_DEBUG) Slog.d(TAG, "Pw mismatch");
1224                    return false;
1225                } else {
1226                    // ...else the device is supposedly not encrypted.  HOWEVER, the
1227                    // query about the encryption state said that the device *is*
1228                    // encrypted, so ... we may have a problem.  Log it and refuse
1229                    // the backup.
1230                    Slog.e(TAG, "verified encryption state mismatch against query; no match allowed");
1231                    return false;
1232                }
1233            }
1234        } catch (Exception e) {
1235            // Something went wrong talking to the mount service.  This is very bad;
1236            // assume that we fail password validation.
1237            return false;
1238        }
1239
1240        if (mPasswordHash == null) {
1241            // no current password case -- require that 'currentPw' be null or empty
1242            if (candidatePw == null || "".equals(candidatePw)) {
1243                return true;
1244            } // else the non-empty candidate does not match the empty stored pw
1245        } else {
1246            // hash the stated current pw and compare to the stored one
1247            if (candidatePw != null && candidatePw.length() > 0) {
1248                String currentPwHash = buildPasswordHash(algorithm, candidatePw, mPasswordSalt, rounds);
1249                if (mPasswordHash.equalsIgnoreCase(currentPwHash)) {
1250                    // candidate hash matches the stored hash -- the password matches
1251                    return true;
1252                }
1253            } // else the stored pw is nonempty but the candidate is empty; no match
1254        }
1255        return false;
1256    }
1257
1258    @Override
1259    public boolean setBackupPassword(String currentPw, String newPw) {
1260        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
1261                "setBackupPassword");
1262
1263        // When processing v1 passwords we may need to try two different PBKDF2 checksum regimes
1264        final boolean pbkdf2Fallback = (mPasswordVersion < BACKUP_PW_FILE_VERSION);
1265
1266        // If the supplied pw doesn't hash to the the saved one, fail.  The password
1267        // might be caught in the legacy crypto mismatch; verify that too.
1268        if (!passwordMatchesSaved(PBKDF_CURRENT, currentPw, PBKDF2_HASH_ROUNDS)
1269                && !(pbkdf2Fallback && passwordMatchesSaved(PBKDF_FALLBACK,
1270                        currentPw, PBKDF2_HASH_ROUNDS))) {
1271            return false;
1272        }
1273
1274        // Snap up to current on the pw file version
1275        mPasswordVersion = BACKUP_PW_FILE_VERSION;
1276        FileOutputStream pwFout = null;
1277        DataOutputStream pwOut = null;
1278        try {
1279            pwFout = new FileOutputStream(mPasswordVersionFile);
1280            pwOut = new DataOutputStream(pwFout);
1281            pwOut.writeInt(mPasswordVersion);
1282        } catch (IOException e) {
1283            Slog.e(TAG, "Unable to write backup pw version; password not changed");
1284            return false;
1285        } finally {
1286            try {
1287                if (pwOut != null) pwOut.close();
1288                if (pwFout != null) pwFout.close();
1289            } catch (IOException e) {
1290                Slog.w(TAG, "Unable to close pw version record");
1291            }
1292        }
1293
1294        // Clearing the password is okay
1295        if (newPw == null || newPw.isEmpty()) {
1296            if (mPasswordHashFile.exists()) {
1297                if (!mPasswordHashFile.delete()) {
1298                    // Unable to delete the old pw file, so fail
1299                    Slog.e(TAG, "Unable to clear backup password");
1300                    return false;
1301                }
1302            }
1303            mPasswordHash = null;
1304            mPasswordSalt = null;
1305            return true;
1306        }
1307
1308        try {
1309            // Okay, build the hash of the new backup password
1310            byte[] salt = randomBytes(PBKDF2_SALT_SIZE);
1311            String newPwHash = buildPasswordHash(PBKDF_CURRENT, newPw, salt, PBKDF2_HASH_ROUNDS);
1312
1313            OutputStream pwf = null, buffer = null;
1314            DataOutputStream out = null;
1315            try {
1316                pwf = new FileOutputStream(mPasswordHashFile);
1317                buffer = new BufferedOutputStream(pwf);
1318                out = new DataOutputStream(buffer);
1319                // integer length of the salt array, followed by the salt,
1320                // then the hex pw hash string
1321                out.writeInt(salt.length);
1322                out.write(salt);
1323                out.writeUTF(newPwHash);
1324                out.flush();
1325                mPasswordHash = newPwHash;
1326                mPasswordSalt = salt;
1327                return true;
1328            } finally {
1329                if (out != null) out.close();
1330                if (buffer != null) buffer.close();
1331                if (pwf != null) pwf.close();
1332            }
1333        } catch (IOException e) {
1334            Slog.e(TAG, "Unable to set backup password");
1335        }
1336        return false;
1337    }
1338
1339    @Override
1340    public boolean hasBackupPassword() {
1341        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
1342                "hasBackupPassword");
1343
1344        try {
1345            return (mMountService.getEncryptionState() != IMountService.ENCRYPTION_STATE_NONE)
1346                || (mPasswordHash != null && mPasswordHash.length() > 0);
1347        } catch (Exception e) {
1348            // If we can't talk to the mount service we have a serious problem; fail
1349            // "secure" i.e. assuming that we require a password
1350            return true;
1351        }
1352    }
1353
1354    private boolean backupPasswordMatches(String currentPw) {
1355        if (hasBackupPassword()) {
1356            final boolean pbkdf2Fallback = (mPasswordVersion < BACKUP_PW_FILE_VERSION);
1357            if (!passwordMatchesSaved(PBKDF_CURRENT, currentPw, PBKDF2_HASH_ROUNDS)
1358                    && !(pbkdf2Fallback && passwordMatchesSaved(PBKDF_FALLBACK,
1359                            currentPw, PBKDF2_HASH_ROUNDS))) {
1360                if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
1361                return false;
1362            }
1363        }
1364        return true;
1365    }
1366
1367    // Maintain persistent state around whether need to do an initialize operation.
1368    // Must be called with the queue lock held.
1369    void recordInitPendingLocked(boolean isPending, String transportName) {
1370        if (DEBUG) Slog.i(TAG, "recordInitPendingLocked: " + isPending
1371                + " on transport " + transportName);
1372        mBackupHandler.removeMessages(MSG_RETRY_INIT);
1373
1374        try {
1375            IBackupTransport transport = getTransport(transportName);
1376            if (transport != null) {
1377                String transportDirName = transport.transportDirName();
1378                File stateDir = new File(mBaseStateDir, transportDirName);
1379                File initPendingFile = new File(stateDir, INIT_SENTINEL_FILE_NAME);
1380
1381                if (isPending) {
1382                    // We need an init before we can proceed with sending backup data.
1383                    // Record that with an entry in our set of pending inits, as well as
1384                    // journaling it via creation of a sentinel file.
1385                    mPendingInits.add(transportName);
1386                    try {
1387                        (new FileOutputStream(initPendingFile)).close();
1388                    } catch (IOException ioe) {
1389                        // Something is badly wrong with our permissions; just try to move on
1390                    }
1391                } else {
1392                    // No more initialization needed; wipe the journal and reset our state.
1393                    initPendingFile.delete();
1394                    mPendingInits.remove(transportName);
1395                }
1396                return; // done; don't fall through to the error case
1397            }
1398        } catch (RemoteException e) {
1399            // transport threw when asked its name; fall through to the lookup-failed case
1400        }
1401
1402        // The named transport doesn't exist or threw.  This operation is
1403        // important, so we record the need for a an init and post a message
1404        // to retry the init later.
1405        if (isPending) {
1406            mPendingInits.add(transportName);
1407            mBackupHandler.sendMessageDelayed(
1408                    mBackupHandler.obtainMessage(MSG_RETRY_INIT,
1409                            (isPending ? 1 : 0),
1410                            0,
1411                            transportName),
1412                    TRANSPORT_RETRY_INTERVAL);
1413        }
1414    }
1415
1416    // Reset all of our bookkeeping, in response to having been told that
1417    // the backend data has been wiped [due to idle expiry, for example],
1418    // so we must re-upload all saved settings.
1419    void resetBackupState(File stateFileDir) {
1420        synchronized (mQueueLock) {
1421            // Wipe the "what we've ever backed up" tracking
1422            mEverStoredApps.clear();
1423            mEverStored.delete();
1424
1425            mCurrentToken = 0;
1426            writeRestoreTokens();
1427
1428            // Remove all the state files
1429            for (File sf : stateFileDir.listFiles()) {
1430                // ... but don't touch the needs-init sentinel
1431                if (!sf.getName().equals(INIT_SENTINEL_FILE_NAME)) {
1432                    sf.delete();
1433                }
1434            }
1435        }
1436
1437        // Enqueue a new backup of every participant
1438        synchronized (mBackupParticipants) {
1439            final int N = mBackupParticipants.size();
1440            for (int i=0; i<N; i++) {
1441                HashSet<String> participants = mBackupParticipants.valueAt(i);
1442                if (participants != null) {
1443                    for (String packageName : participants) {
1444                        dataChangedImpl(packageName);
1445                    }
1446                }
1447            }
1448        }
1449    }
1450
1451    // Add a transport to our set of available backends.  If 'transport' is null, this
1452    // is an unregistration, and the transport's entry is removed from our bookkeeping.
1453    private void registerTransport(String name, String component, IBackupTransport transport) {
1454        synchronized (mTransports) {
1455            if (DEBUG) Slog.v(TAG, "Registering transport "
1456                    + component + "::" + name + " = " + transport);
1457            if (transport != null) {
1458                mTransports.put(name, transport);
1459                mTransportNames.put(component, name);
1460            } else {
1461                mTransports.remove(mTransportNames.get(component));
1462                mTransportNames.remove(component);
1463                // Nothing further to do in the unregistration case
1464                return;
1465            }
1466        }
1467
1468        // If the init sentinel file exists, we need to be sure to perform the init
1469        // as soon as practical.  We also create the state directory at registration
1470        // time to ensure it's present from the outset.
1471        try {
1472            String transportName = transport.transportDirName();
1473            File stateDir = new File(mBaseStateDir, transportName);
1474            stateDir.mkdirs();
1475
1476            File initSentinel = new File(stateDir, INIT_SENTINEL_FILE_NAME);
1477            if (initSentinel.exists()) {
1478                synchronized (mQueueLock) {
1479                    mPendingInits.add(transportName);
1480
1481                    // TODO: pick a better starting time than now + 1 minute
1482                    long delay = 1000 * 60; // one minute, in milliseconds
1483                    mAlarmManager.set(AlarmManager.RTC_WAKEUP,
1484                            System.currentTimeMillis() + delay, mRunInitIntent);
1485                }
1486            }
1487        } catch (RemoteException e) {
1488            // the transport threw when asked its file naming prefs; declare it invalid
1489            Slog.e(TAG, "Unable to register transport as " + name);
1490            mTransportNames.remove(component);
1491            mTransports.remove(name);
1492        }
1493    }
1494
1495    // ----- Track installation/removal of packages -----
1496    BroadcastReceiver mBroadcastReceiver = new BroadcastReceiver() {
1497        public void onReceive(Context context, Intent intent) {
1498            if (DEBUG) Slog.d(TAG, "Received broadcast " + intent);
1499
1500            String action = intent.getAction();
1501            boolean replacing = false;
1502            boolean added = false;
1503            Bundle extras = intent.getExtras();
1504            String pkgList[] = null;
1505            if (Intent.ACTION_PACKAGE_ADDED.equals(action) ||
1506                    Intent.ACTION_PACKAGE_REMOVED.equals(action)) {
1507                Uri uri = intent.getData();
1508                if (uri == null) {
1509                    return;
1510                }
1511                String pkgName = uri.getSchemeSpecificPart();
1512                if (pkgName != null) {
1513                    pkgList = new String[] { pkgName };
1514                }
1515                added = Intent.ACTION_PACKAGE_ADDED.equals(action);
1516                replacing = extras.getBoolean(Intent.EXTRA_REPLACING, false);
1517            } else if (Intent.ACTION_EXTERNAL_APPLICATIONS_AVAILABLE.equals(action)) {
1518                added = true;
1519                pkgList = intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);
1520            } else if (Intent.ACTION_EXTERNAL_APPLICATIONS_UNAVAILABLE.equals(action)) {
1521                added = false;
1522                pkgList = intent.getStringArrayExtra(Intent.EXTRA_CHANGED_PACKAGE_LIST);
1523            }
1524
1525            if (pkgList == null || pkgList.length == 0) {
1526                return;
1527            }
1528
1529            final int uid = extras.getInt(Intent.EXTRA_UID);
1530            if (added) {
1531                synchronized (mBackupParticipants) {
1532                    if (replacing) {
1533                        // This is the package-replaced case; we just remove the entry
1534                        // under the old uid and fall through to re-add.
1535                        removePackageParticipantsLocked(pkgList, uid);
1536                    }
1537                    addPackageParticipantsLocked(pkgList);
1538                }
1539            } else {
1540                if (replacing) {
1541                    // The package is being updated.  We'll receive a PACKAGE_ADDED shortly.
1542                } else {
1543                    synchronized (mBackupParticipants) {
1544                        removePackageParticipantsLocked(pkgList, uid);
1545                    }
1546                }
1547            }
1548        }
1549    };
1550
1551    // ----- Track connection to transports service -----
1552    class TransportConnection implements ServiceConnection {
1553        @Override
1554        public void onServiceConnected(ComponentName component, IBinder service) {
1555            if (DEBUG) Slog.v(TAG, "Connected to transport " + component);
1556            try {
1557                IBackupTransport transport = IBackupTransport.Stub.asInterface(service);
1558                registerTransport(transport.name(), component.flattenToShortString(), transport);
1559            } catch (RemoteException e) {
1560                Slog.e(TAG, "Unable to register transport " + component);
1561            }
1562        }
1563
1564        @Override
1565        public void onServiceDisconnected(ComponentName component) {
1566            if (DEBUG) Slog.v(TAG, "Disconnected from transport " + component);
1567            registerTransport(null, component.flattenToShortString(), null);
1568        }
1569    };
1570
1571    // Add the backup agents in the given packages to our set of known backup participants.
1572    // If 'packageNames' is null, adds all backup agents in the whole system.
1573    void addPackageParticipantsLocked(String[] packageNames) {
1574        // Look for apps that define the android:backupAgent attribute
1575        List<PackageInfo> targetApps = allAgentPackages();
1576        if (packageNames != null) {
1577            if (DEBUG) Slog.v(TAG, "addPackageParticipantsLocked: #" + packageNames.length);
1578            for (String packageName : packageNames) {
1579                addPackageParticipantsLockedInner(packageName, targetApps);
1580            }
1581        } else {
1582            if (DEBUG) Slog.v(TAG, "addPackageParticipantsLocked: all");
1583            addPackageParticipantsLockedInner(null, targetApps);
1584        }
1585    }
1586
1587    private void addPackageParticipantsLockedInner(String packageName,
1588            List<PackageInfo> targetPkgs) {
1589        if (MORE_DEBUG) {
1590            Slog.v(TAG, "Examining " + packageName + " for backup agent");
1591        }
1592
1593        for (PackageInfo pkg : targetPkgs) {
1594            if (packageName == null || pkg.packageName.equals(packageName)) {
1595                int uid = pkg.applicationInfo.uid;
1596                HashSet<String> set = mBackupParticipants.get(uid);
1597                if (set == null) {
1598                    set = new HashSet<String>();
1599                    mBackupParticipants.put(uid, set);
1600                }
1601                set.add(pkg.packageName);
1602                if (MORE_DEBUG) Slog.v(TAG, "Agent found; added");
1603
1604                // Schedule a backup for it on general principles
1605                if (DEBUG) Slog.i(TAG, "Scheduling backup for new app " + pkg.packageName);
1606                dataChangedImpl(pkg.packageName);
1607            }
1608        }
1609    }
1610
1611    // Remove the given packages' entries from our known active set.
1612    void removePackageParticipantsLocked(String[] packageNames, int oldUid) {
1613        if (packageNames == null) {
1614            Slog.w(TAG, "removePackageParticipants with null list");
1615            return;
1616        }
1617
1618        if (DEBUG) Slog.v(TAG, "removePackageParticipantsLocked: uid=" + oldUid
1619                + " #" + packageNames.length);
1620        for (String pkg : packageNames) {
1621            // Known previous UID, so we know which package set to check
1622            HashSet<String> set = mBackupParticipants.get(oldUid);
1623            if (set != null && set.contains(pkg)) {
1624                removePackageFromSetLocked(set, pkg);
1625                if (set.isEmpty()) {
1626                    if (MORE_DEBUG) Slog.v(TAG, "  last one of this uid; purging set");
1627                    mBackupParticipants.remove(oldUid);
1628                }
1629            }
1630        }
1631    }
1632
1633    private void removePackageFromSetLocked(final HashSet<String> set,
1634            final String packageName) {
1635        if (set.contains(packageName)) {
1636            // Found it.  Remove this one package from the bookkeeping, and
1637            // if it's the last participating app under this uid we drop the
1638            // (now-empty) set as well.
1639            // Note that we deliberately leave it 'known' in the "ever backed up"
1640            // bookkeeping so that its current-dataset data will be retrieved
1641            // if the app is subsequently reinstalled
1642            if (MORE_DEBUG) Slog.v(TAG, "  removing participant " + packageName);
1643            set.remove(packageName);
1644            mPendingBackups.remove(packageName);
1645        }
1646    }
1647
1648    // Returns the set of all applications that define an android:backupAgent attribute
1649    List<PackageInfo> allAgentPackages() {
1650        // !!! TODO: cache this and regenerate only when necessary
1651        int flags = PackageManager.GET_SIGNATURES;
1652        List<PackageInfo> packages = mPackageManager.getInstalledPackages(flags);
1653        int N = packages.size();
1654        for (int a = N-1; a >= 0; a--) {
1655            PackageInfo pkg = packages.get(a);
1656            try {
1657                ApplicationInfo app = pkg.applicationInfo;
1658                if (((app.flags&ApplicationInfo.FLAG_ALLOW_BACKUP) == 0)
1659                        || app.backupAgentName == null) {
1660                    packages.remove(a);
1661                }
1662                else {
1663                    // we will need the shared library path, so look that up and store it here
1664                    app = mPackageManager.getApplicationInfo(pkg.packageName,
1665                            PackageManager.GET_SHARED_LIBRARY_FILES);
1666                    pkg.applicationInfo.sharedLibraryFiles = app.sharedLibraryFiles;
1667                }
1668            } catch (NameNotFoundException e) {
1669                packages.remove(a);
1670            }
1671        }
1672        return packages;
1673    }
1674
1675    // Called from the backup task: record that the given app has been successfully
1676    // backed up at least once
1677    void logBackupComplete(String packageName) {
1678        if (packageName.equals(PACKAGE_MANAGER_SENTINEL)) return;
1679
1680        synchronized (mEverStoredApps) {
1681            if (!mEverStoredApps.add(packageName)) return;
1682
1683            RandomAccessFile out = null;
1684            try {
1685                out = new RandomAccessFile(mEverStored, "rws");
1686                out.seek(out.length());
1687                out.writeUTF(packageName);
1688            } catch (IOException e) {
1689                Slog.e(TAG, "Can't log backup of " + packageName + " to " + mEverStored);
1690            } finally {
1691                try { if (out != null) out.close(); } catch (IOException e) {}
1692            }
1693        }
1694    }
1695
1696    // Remove our awareness of having ever backed up the given package
1697    void removeEverBackedUp(String packageName) {
1698        if (DEBUG) Slog.v(TAG, "Removing backed-up knowledge of " + packageName);
1699        if (MORE_DEBUG) Slog.v(TAG, "New set:");
1700
1701        synchronized (mEverStoredApps) {
1702            // Rewrite the file and rename to overwrite.  If we reboot in the middle,
1703            // we'll recognize on initialization time that the package no longer
1704            // exists and fix it up then.
1705            File tempKnownFile = new File(mBaseStateDir, "processed.new");
1706            RandomAccessFile known = null;
1707            try {
1708                known = new RandomAccessFile(tempKnownFile, "rws");
1709                mEverStoredApps.remove(packageName);
1710                for (String s : mEverStoredApps) {
1711                    known.writeUTF(s);
1712                    if (MORE_DEBUG) Slog.v(TAG, "    " + s);
1713                }
1714                known.close();
1715                known = null;
1716                if (!tempKnownFile.renameTo(mEverStored)) {
1717                    throw new IOException("Can't rename " + tempKnownFile + " to " + mEverStored);
1718                }
1719            } catch (IOException e) {
1720                // Bad: we couldn't create the new copy.  For safety's sake we
1721                // abandon the whole process and remove all what's-backed-up
1722                // state entirely, meaning we'll force a backup pass for every
1723                // participant on the next boot or [re]install.
1724                Slog.w(TAG, "Error rewriting " + mEverStored, e);
1725                mEverStoredApps.clear();
1726                tempKnownFile.delete();
1727                mEverStored.delete();
1728            } finally {
1729                try { if (known != null) known.close(); } catch (IOException e) {}
1730            }
1731        }
1732    }
1733
1734    // Persistently record the current and ancestral backup tokens as well
1735    // as the set of packages with data [supposedly] available in the
1736    // ancestral dataset.
1737    void writeRestoreTokens() {
1738        try {
1739            RandomAccessFile af = new RandomAccessFile(mTokenFile, "rwd");
1740
1741            // First, the version number of this record, for futureproofing
1742            af.writeInt(CURRENT_ANCESTRAL_RECORD_VERSION);
1743
1744            // Write the ancestral and current tokens
1745            af.writeLong(mAncestralToken);
1746            af.writeLong(mCurrentToken);
1747
1748            // Now write the set of ancestral packages
1749            if (mAncestralPackages == null) {
1750                af.writeInt(-1);
1751            } else {
1752                af.writeInt(mAncestralPackages.size());
1753                if (DEBUG) Slog.v(TAG, "Ancestral packages:  " + mAncestralPackages.size());
1754                for (String pkgName : mAncestralPackages) {
1755                    af.writeUTF(pkgName);
1756                    if (MORE_DEBUG) Slog.v(TAG, "   " + pkgName);
1757                }
1758            }
1759            af.close();
1760        } catch (IOException e) {
1761            Slog.w(TAG, "Unable to write token file:", e);
1762        }
1763    }
1764
1765    // Return the given transport
1766    private IBackupTransport getTransport(String transportName) {
1767        synchronized (mTransports) {
1768            IBackupTransport transport = mTransports.get(transportName);
1769            if (transport == null) {
1770                Slog.w(TAG, "Requested unavailable transport: " + transportName);
1771            }
1772            return transport;
1773        }
1774    }
1775
1776    // fire off a backup agent, blocking until it attaches or times out
1777    IBackupAgent bindToAgentSynchronous(ApplicationInfo app, int mode) {
1778        IBackupAgent agent = null;
1779        synchronized(mAgentConnectLock) {
1780            mConnecting = true;
1781            mConnectedAgent = null;
1782            try {
1783                if (mActivityManager.bindBackupAgent(app, mode)) {
1784                    Slog.d(TAG, "awaiting agent for " + app);
1785
1786                    // success; wait for the agent to arrive
1787                    // only wait 10 seconds for the bind to happen
1788                    long timeoutMark = System.currentTimeMillis() + TIMEOUT_INTERVAL;
1789                    while (mConnecting && mConnectedAgent == null
1790                            && (System.currentTimeMillis() < timeoutMark)) {
1791                        try {
1792                            mAgentConnectLock.wait(5000);
1793                        } catch (InterruptedException e) {
1794                            // just bail
1795                            if (DEBUG) Slog.w(TAG, "Interrupted: " + e);
1796                            mActivityManager.clearPendingBackup();
1797                            return null;
1798                        }
1799                    }
1800
1801                    // if we timed out with no connect, abort and move on
1802                    if (mConnecting == true) {
1803                        Slog.w(TAG, "Timeout waiting for agent " + app);
1804                        mActivityManager.clearPendingBackup();
1805                        return null;
1806                    }
1807                    if (DEBUG) Slog.i(TAG, "got agent " + mConnectedAgent);
1808                    agent = mConnectedAgent;
1809                }
1810            } catch (RemoteException e) {
1811                // can't happen - ActivityManager is local
1812            }
1813        }
1814        return agent;
1815    }
1816
1817    // clear an application's data, blocking until the operation completes or times out
1818    void clearApplicationDataSynchronous(String packageName) {
1819        // Don't wipe packages marked allowClearUserData=false
1820        try {
1821            PackageInfo info = mPackageManager.getPackageInfo(packageName, 0);
1822            if ((info.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_CLEAR_USER_DATA) == 0) {
1823                if (MORE_DEBUG) Slog.i(TAG, "allowClearUserData=false so not wiping "
1824                        + packageName);
1825                return;
1826            }
1827        } catch (NameNotFoundException e) {
1828            Slog.w(TAG, "Tried to clear data for " + packageName + " but not found");
1829            return;
1830        }
1831
1832        ClearDataObserver observer = new ClearDataObserver();
1833
1834        synchronized(mClearDataLock) {
1835            mClearingData = true;
1836            try {
1837                mActivityManager.clearApplicationUserData(packageName, observer, 0);
1838            } catch (RemoteException e) {
1839                // can't happen because the activity manager is in this process
1840            }
1841
1842            // only wait 10 seconds for the clear data to happen
1843            long timeoutMark = System.currentTimeMillis() + TIMEOUT_INTERVAL;
1844            while (mClearingData && (System.currentTimeMillis() < timeoutMark)) {
1845                try {
1846                    mClearDataLock.wait(5000);
1847                } catch (InterruptedException e) {
1848                    // won't happen, but still.
1849                    mClearingData = false;
1850                }
1851            }
1852        }
1853    }
1854
1855    class ClearDataObserver extends IPackageDataObserver.Stub {
1856        public void onRemoveCompleted(String packageName, boolean succeeded) {
1857            synchronized(mClearDataLock) {
1858                mClearingData = false;
1859                mClearDataLock.notifyAll();
1860            }
1861        }
1862    }
1863
1864    // Get the restore-set token for the best-available restore set for this package:
1865    // the active set if possible, else the ancestral one.  Returns zero if none available.
1866    long getAvailableRestoreToken(String packageName) {
1867        long token = mAncestralToken;
1868        synchronized (mQueueLock) {
1869            if (mEverStoredApps.contains(packageName)) {
1870                token = mCurrentToken;
1871            }
1872        }
1873        return token;
1874    }
1875
1876    // -----
1877    // Interface and methods used by the asynchronous-with-timeout backup/restore operations
1878
1879    interface BackupRestoreTask {
1880        // Execute one tick of whatever state machine the task implements
1881        void execute();
1882
1883        // An operation that wanted a callback has completed
1884        void operationComplete();
1885
1886        // An operation that wanted a callback has timed out
1887        void handleTimeout();
1888    }
1889
1890    void prepareOperationTimeout(int token, long interval, BackupRestoreTask callback) {
1891        if (MORE_DEBUG) Slog.v(TAG, "starting timeout: token=" + Integer.toHexString(token)
1892                + " interval=" + interval);
1893        synchronized (mCurrentOpLock) {
1894            mCurrentOperations.put(token, new Operation(OP_PENDING, callback));
1895
1896            Message msg = mBackupHandler.obtainMessage(MSG_TIMEOUT, token, 0, callback);
1897            mBackupHandler.sendMessageDelayed(msg, interval);
1898        }
1899    }
1900
1901    // synchronous waiter case
1902    boolean waitUntilOperationComplete(int token) {
1903        if (MORE_DEBUG) Slog.i(TAG, "Blocking until operation complete for "
1904                + Integer.toHexString(token));
1905        int finalState = OP_PENDING;
1906        Operation op = null;
1907        synchronized (mCurrentOpLock) {
1908            while (true) {
1909                op = mCurrentOperations.get(token);
1910                if (op == null) {
1911                    // mysterious disappearance: treat as success with no callback
1912                    break;
1913                } else {
1914                    if (op.state == OP_PENDING) {
1915                        try {
1916                            mCurrentOpLock.wait();
1917                        } catch (InterruptedException e) {}
1918                        // When the wait is notified we loop around and recheck the current state
1919                    } else {
1920                        // No longer pending; we're done
1921                        finalState = op.state;
1922                        break;
1923                    }
1924                }
1925            }
1926        }
1927
1928        mBackupHandler.removeMessages(MSG_TIMEOUT);
1929        if (MORE_DEBUG) Slog.v(TAG, "operation " + Integer.toHexString(token)
1930                + " complete: finalState=" + finalState);
1931        return finalState == OP_ACKNOWLEDGED;
1932    }
1933
1934    void handleTimeout(int token, Object obj) {
1935        // Notify any synchronous waiters
1936        Operation op = null;
1937        synchronized (mCurrentOpLock) {
1938            op = mCurrentOperations.get(token);
1939            if (MORE_DEBUG) {
1940                if (op == null) Slog.w(TAG, "Timeout of token " + Integer.toHexString(token)
1941                        + " but no op found");
1942            }
1943            int state = (op != null) ? op.state : OP_TIMEOUT;
1944            if (state == OP_PENDING) {
1945                if (DEBUG) Slog.v(TAG, "TIMEOUT: token=" + Integer.toHexString(token));
1946                op.state = OP_TIMEOUT;
1947                mCurrentOperations.put(token, op);
1948            }
1949            mCurrentOpLock.notifyAll();
1950        }
1951
1952        // If there's a TimeoutHandler for this event, call it
1953        if (op != null && op.callback != null) {
1954            op.callback.handleTimeout();
1955        }
1956    }
1957
1958    // ----- Back up a set of applications via a worker thread -----
1959
1960    enum BackupState {
1961        INITIAL,
1962        RUNNING_QUEUE,
1963        FINAL
1964    }
1965
1966    class PerformBackupTask implements BackupRestoreTask {
1967        private static final String TAG = "PerformBackupTask";
1968
1969        IBackupTransport mTransport;
1970        ArrayList<BackupRequest> mQueue;
1971        ArrayList<BackupRequest> mOriginalQueue;
1972        File mStateDir;
1973        File mJournal;
1974        BackupState mCurrentState;
1975
1976        // carried information about the current in-flight operation
1977        PackageInfo mCurrentPackage;
1978        File mSavedStateName;
1979        File mBackupDataName;
1980        File mNewStateName;
1981        ParcelFileDescriptor mSavedState;
1982        ParcelFileDescriptor mBackupData;
1983        ParcelFileDescriptor mNewState;
1984        int mStatus;
1985        boolean mFinished;
1986
1987        public PerformBackupTask(IBackupTransport transport, String dirName,
1988                ArrayList<BackupRequest> queue, File journal) {
1989            mTransport = transport;
1990            mOriginalQueue = queue;
1991            mJournal = journal;
1992
1993            mStateDir = new File(mBaseStateDir, dirName);
1994
1995            mCurrentState = BackupState.INITIAL;
1996            mFinished = false;
1997
1998            addBackupTrace("STATE => INITIAL");
1999        }
2000
2001        // Main entry point: perform one chunk of work, updating the state as appropriate
2002        // and reposting the next chunk to the primary backup handler thread.
2003        @Override
2004        public void execute() {
2005            switch (mCurrentState) {
2006                case INITIAL:
2007                    beginBackup();
2008                    break;
2009
2010                case RUNNING_QUEUE:
2011                    invokeNextAgent();
2012                    break;
2013
2014                case FINAL:
2015                    if (!mFinished) finalizeBackup();
2016                    else {
2017                        Slog.e(TAG, "Duplicate finish");
2018                    }
2019                    mFinished = true;
2020                    break;
2021            }
2022        }
2023
2024        // We're starting a backup pass.  Initialize the transport and send
2025        // the PM metadata blob if we haven't already.
2026        void beginBackup() {
2027            if (DEBUG_BACKUP_TRACE) {
2028                clearBackupTrace();
2029                StringBuilder b = new StringBuilder(256);
2030                b.append("beginBackup: [");
2031                for (BackupRequest req : mOriginalQueue) {
2032                    b.append(' ');
2033                    b.append(req.packageName);
2034                }
2035                b.append(" ]");
2036                addBackupTrace(b.toString());
2037            }
2038
2039            mStatus = BackupConstants.TRANSPORT_OK;
2040
2041            // Sanity check: if the queue is empty we have no work to do.
2042            if (mOriginalQueue.isEmpty()) {
2043                Slog.w(TAG, "Backup begun with an empty queue - nothing to do.");
2044                addBackupTrace("queue empty at begin");
2045                executeNextState(BackupState.FINAL);
2046                return;
2047            }
2048
2049            // We need to retain the original queue contents in case of transport
2050            // failure, but we want a working copy that we can manipulate along
2051            // the way.
2052            mQueue = (ArrayList<BackupRequest>) mOriginalQueue.clone();
2053
2054            if (DEBUG) Slog.v(TAG, "Beginning backup of " + mQueue.size() + " targets");
2055
2056            File pmState = new File(mStateDir, PACKAGE_MANAGER_SENTINEL);
2057            try {
2058                final String transportName = mTransport.transportDirName();
2059                EventLog.writeEvent(EventLogTags.BACKUP_START, transportName);
2060
2061                // If we haven't stored package manager metadata yet, we must init the transport.
2062                if (mStatus == BackupConstants.TRANSPORT_OK && pmState.length() <= 0) {
2063                    Slog.i(TAG, "Initializing (wiping) backup state and transport storage");
2064                    addBackupTrace("initializing transport " + transportName);
2065                    resetBackupState(mStateDir);  // Just to make sure.
2066                    mStatus = mTransport.initializeDevice();
2067
2068                    addBackupTrace("transport.initializeDevice() == " + mStatus);
2069                    if (mStatus == BackupConstants.TRANSPORT_OK) {
2070                        EventLog.writeEvent(EventLogTags.BACKUP_INITIALIZE);
2071                    } else {
2072                        EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(initialize)");
2073                        Slog.e(TAG, "Transport error in initializeDevice()");
2074                    }
2075                }
2076
2077                // The package manager doesn't have a proper <application> etc, but since
2078                // it's running here in the system process we can just set up its agent
2079                // directly and use a synthetic BackupRequest.  We always run this pass
2080                // because it's cheap and this way we guarantee that we don't get out of
2081                // step even if we're selecting among various transports at run time.
2082                if (mStatus == BackupConstants.TRANSPORT_OK) {
2083                    PackageManagerBackupAgent pmAgent = new PackageManagerBackupAgent(
2084                            mPackageManager, allAgentPackages());
2085                    mStatus = invokeAgentForBackup(PACKAGE_MANAGER_SENTINEL,
2086                            IBackupAgent.Stub.asInterface(pmAgent.onBind()), mTransport);
2087                    addBackupTrace("PMBA invoke: " + mStatus);
2088                }
2089
2090                if (mStatus == BackupConstants.TRANSPORT_NOT_INITIALIZED) {
2091                    // The backend reports that our dataset has been wiped.  Note this in
2092                    // the event log; the no-success code below will reset the backup
2093                    // state as well.
2094                    EventLog.writeEvent(EventLogTags.BACKUP_RESET, mTransport.transportDirName());
2095                }
2096            } catch (Exception e) {
2097                Slog.e(TAG, "Error in backup thread", e);
2098                addBackupTrace("Exception in backup thread: " + e);
2099                mStatus = BackupConstants.TRANSPORT_ERROR;
2100            } finally {
2101                // If we've succeeded so far, invokeAgentForBackup() will have run the PM
2102                // metadata and its completion/timeout callback will continue the state
2103                // machine chain.  If it failed that won't happen; we handle that now.
2104                addBackupTrace("exiting prelim: " + mStatus);
2105                if (mStatus != BackupConstants.TRANSPORT_OK) {
2106                    // if things went wrong at this point, we need to
2107                    // restage everything and try again later.
2108                    resetBackupState(mStateDir);  // Just to make sure.
2109                    executeNextState(BackupState.FINAL);
2110                }
2111            }
2112        }
2113
2114        // Transport has been initialized and the PM metadata submitted successfully
2115        // if that was warranted.  Now we process the single next thing in the queue.
2116        void invokeNextAgent() {
2117            mStatus = BackupConstants.TRANSPORT_OK;
2118            addBackupTrace("invoke q=" + mQueue.size());
2119
2120            // Sanity check that we have work to do.  If not, skip to the end where
2121            // we reestablish the wakelock invariants etc.
2122            if (mQueue.isEmpty()) {
2123                if (DEBUG) Slog.i(TAG, "queue now empty");
2124                executeNextState(BackupState.FINAL);
2125                return;
2126            }
2127
2128            // pop the entry we're going to process on this step
2129            BackupRequest request = mQueue.get(0);
2130            mQueue.remove(0);
2131
2132            Slog.d(TAG, "starting agent for backup of " + request);
2133            addBackupTrace("launch agent for " + request.packageName);
2134
2135            // Verify that the requested app exists; it might be something that
2136            // requested a backup but was then uninstalled.  The request was
2137            // journalled and rather than tamper with the journal it's safer
2138            // to sanity-check here.  This also gives us the classname of the
2139            // package's backup agent.
2140            try {
2141                mCurrentPackage = mPackageManager.getPackageInfo(request.packageName,
2142                        PackageManager.GET_SIGNATURES);
2143                if (mCurrentPackage.applicationInfo.backupAgentName == null) {
2144                    // The manifest has changed but we had a stale backup request pending.
2145                    // This won't happen again because the app won't be requesting further
2146                    // backups.
2147                    Slog.i(TAG, "Package " + request.packageName
2148                            + " no longer supports backup; skipping");
2149                    addBackupTrace("skipping - no agent, completion is noop");
2150                    executeNextState(BackupState.RUNNING_QUEUE);
2151                    return;
2152                }
2153
2154                if ((mCurrentPackage.applicationInfo.flags & ApplicationInfo.FLAG_STOPPED) != 0) {
2155                    // The app has been force-stopped or cleared or just installed,
2156                    // and not yet launched out of that state, so just as it won't
2157                    // receive broadcasts, we won't run it for backup.
2158                    addBackupTrace("skipping - stopped");
2159                    executeNextState(BackupState.RUNNING_QUEUE);
2160                    return;
2161                }
2162
2163                IBackupAgent agent = null;
2164                try {
2165                    mWakelock.setWorkSource(new WorkSource(mCurrentPackage.applicationInfo.uid));
2166                    agent = bindToAgentSynchronous(mCurrentPackage.applicationInfo,
2167                            IApplicationThread.BACKUP_MODE_INCREMENTAL);
2168                    addBackupTrace("agent bound; a? = " + (agent != null));
2169                    if (agent != null) {
2170                        mStatus = invokeAgentForBackup(request.packageName, agent, mTransport);
2171                        // at this point we'll either get a completion callback from the
2172                        // agent, or a timeout message on the main handler.  either way, we're
2173                        // done here as long as we're successful so far.
2174                    } else {
2175                        // Timeout waiting for the agent
2176                        mStatus = BackupConstants.AGENT_ERROR;
2177                    }
2178                } catch (SecurityException ex) {
2179                    // Try for the next one.
2180                    Slog.d(TAG, "error in bind/backup", ex);
2181                    mStatus = BackupConstants.AGENT_ERROR;
2182                            addBackupTrace("agent SE");
2183                }
2184            } catch (NameNotFoundException e) {
2185                Slog.d(TAG, "Package does not exist; skipping");
2186                addBackupTrace("no such package");
2187                mStatus = BackupConstants.AGENT_UNKNOWN;
2188            } finally {
2189                mWakelock.setWorkSource(null);
2190
2191                // If there was an agent error, no timeout/completion handling will occur.
2192                // That means we need to direct to the next state ourselves.
2193                if (mStatus != BackupConstants.TRANSPORT_OK) {
2194                    BackupState nextState = BackupState.RUNNING_QUEUE;
2195
2196                    // An agent-level failure means we reenqueue this one agent for
2197                    // a later retry, but otherwise proceed normally.
2198                    if (mStatus == BackupConstants.AGENT_ERROR) {
2199                        if (MORE_DEBUG) Slog.i(TAG, "Agent failure for " + request.packageName
2200                                + " - restaging");
2201                        dataChangedImpl(request.packageName);
2202                        mStatus = BackupConstants.TRANSPORT_OK;
2203                        if (mQueue.isEmpty()) nextState = BackupState.FINAL;
2204                    } else if (mStatus == BackupConstants.AGENT_UNKNOWN) {
2205                        // Failed lookup of the app, so we couldn't bring up an agent, but
2206                        // we're otherwise fine.  Just drop it and go on to the next as usual.
2207                        mStatus = BackupConstants.TRANSPORT_OK;
2208                    } else {
2209                        // Transport-level failure means we reenqueue everything
2210                        revertAndEndBackup();
2211                        nextState = BackupState.FINAL;
2212                    }
2213
2214                    executeNextState(nextState);
2215                } else {
2216                    addBackupTrace("expecting completion/timeout callback");
2217                }
2218            }
2219        }
2220
2221        void finalizeBackup() {
2222            addBackupTrace("finishing");
2223
2224            // Either backup was successful, in which case we of course do not need
2225            // this pass's journal any more; or it failed, in which case we just
2226            // re-enqueued all of these packages in the current active journal.
2227            // Either way, we no longer need this pass's journal.
2228            if (mJournal != null && !mJournal.delete()) {
2229                Slog.e(TAG, "Unable to remove backup journal file " + mJournal);
2230            }
2231
2232            // If everything actually went through and this is the first time we've
2233            // done a backup, we can now record what the current backup dataset token
2234            // is.
2235            if ((mCurrentToken == 0) && (mStatus == BackupConstants.TRANSPORT_OK)) {
2236                addBackupTrace("success; recording token");
2237                try {
2238                    mCurrentToken = mTransport.getCurrentRestoreSet();
2239                    writeRestoreTokens();
2240                } catch (RemoteException e) {
2241                    // nothing for it at this point, unfortunately, but this will be
2242                    // recorded the next time we fully succeed.
2243                    addBackupTrace("transport threw returning token");
2244                }
2245            }
2246
2247            // Set up the next backup pass - at this point we can set mBackupRunning
2248            // to false to allow another pass to fire, because we're done with the
2249            // state machine sequence and the wakelock is refcounted.
2250            synchronized (mQueueLock) {
2251                mBackupRunning = false;
2252                if (mStatus == BackupConstants.TRANSPORT_NOT_INITIALIZED) {
2253                    // Make sure we back up everything and perform the one-time init
2254                    clearMetadata();
2255                    if (DEBUG) Slog.d(TAG, "Server requires init; rerunning");
2256                    addBackupTrace("init required; rerunning");
2257                    backupNow();
2258                }
2259            }
2260
2261            // Only once we're entirely finished do we release the wakelock
2262            clearBackupTrace();
2263            Slog.i(TAG, "Backup pass finished.");
2264            mWakelock.release();
2265        }
2266
2267        // Remove the PM metadata state. This will generate an init on the next pass.
2268        void clearMetadata() {
2269            final File pmState = new File(mStateDir, PACKAGE_MANAGER_SENTINEL);
2270            if (pmState.exists()) pmState.delete();
2271        }
2272
2273        // Invoke an agent's doBackup() and start a timeout message spinning on the main
2274        // handler in case it doesn't get back to us.
2275        int invokeAgentForBackup(String packageName, IBackupAgent agent,
2276                IBackupTransport transport) {
2277            if (DEBUG) Slog.d(TAG, "invokeAgentForBackup on " + packageName);
2278            addBackupTrace("invoking " + packageName);
2279
2280            mSavedStateName = new File(mStateDir, packageName);
2281            mBackupDataName = new File(mDataDir, packageName + ".data");
2282            mNewStateName = new File(mStateDir, packageName + ".new");
2283
2284            mSavedState = null;
2285            mBackupData = null;
2286            mNewState = null;
2287
2288            final int token = generateToken();
2289            try {
2290                // Look up the package info & signatures.  This is first so that if it
2291                // throws an exception, there's no file setup yet that would need to
2292                // be unraveled.
2293                if (packageName.equals(PACKAGE_MANAGER_SENTINEL)) {
2294                    // The metadata 'package' is synthetic; construct one and make
2295                    // sure our global state is pointed at it
2296                    mCurrentPackage = new PackageInfo();
2297                    mCurrentPackage.packageName = packageName;
2298                }
2299
2300                // In a full backup, we pass a null ParcelFileDescriptor as
2301                // the saved-state "file". This is by definition an incremental,
2302                // so we build a saved state file to pass.
2303                mSavedState = ParcelFileDescriptor.open(mSavedStateName,
2304                        ParcelFileDescriptor.MODE_READ_ONLY |
2305                        ParcelFileDescriptor.MODE_CREATE);  // Make an empty file if necessary
2306
2307                mBackupData = ParcelFileDescriptor.open(mBackupDataName,
2308                        ParcelFileDescriptor.MODE_READ_WRITE |
2309                        ParcelFileDescriptor.MODE_CREATE |
2310                        ParcelFileDescriptor.MODE_TRUNCATE);
2311
2312                if (!SELinux.restorecon(mBackupDataName)) {
2313                    Slog.e(TAG, "SELinux restorecon failed on " + mBackupDataName);
2314                }
2315
2316                mNewState = ParcelFileDescriptor.open(mNewStateName,
2317                        ParcelFileDescriptor.MODE_READ_WRITE |
2318                        ParcelFileDescriptor.MODE_CREATE |
2319                        ParcelFileDescriptor.MODE_TRUNCATE);
2320
2321                // Initiate the target's backup pass
2322                addBackupTrace("setting timeout");
2323                prepareOperationTimeout(token, TIMEOUT_BACKUP_INTERVAL, this);
2324                addBackupTrace("calling agent doBackup()");
2325                agent.doBackup(mSavedState, mBackupData, mNewState, token, mBackupManagerBinder);
2326            } catch (Exception e) {
2327                Slog.e(TAG, "Error invoking for backup on " + packageName);
2328                addBackupTrace("exception: " + e);
2329                EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, packageName,
2330                        e.toString());
2331                agentErrorCleanup();
2332                return BackupConstants.AGENT_ERROR;
2333            }
2334
2335            // At this point the agent is off and running.  The next thing to happen will
2336            // either be a callback from the agent, at which point we'll process its data
2337            // for transport, or a timeout.  Either way the next phase will happen in
2338            // response to the TimeoutHandler interface callbacks.
2339            addBackupTrace("invoke success");
2340            return BackupConstants.TRANSPORT_OK;
2341        }
2342
2343        @Override
2344        public void operationComplete() {
2345            // Okay, the agent successfully reported back to us.  Spin the data off to the
2346            // transport and proceed with the next stage.
2347            if (MORE_DEBUG) Slog.v(TAG, "operationComplete(): sending data to transport for "
2348                    + mCurrentPackage.packageName);
2349            mBackupHandler.removeMessages(MSG_TIMEOUT);
2350            clearAgentState();
2351            addBackupTrace("operation complete");
2352
2353            ParcelFileDescriptor backupData = null;
2354            mStatus = BackupConstants.TRANSPORT_OK;
2355            try {
2356                int size = (int) mBackupDataName.length();
2357                if (size > 0) {
2358                    if (mStatus == BackupConstants.TRANSPORT_OK) {
2359                        backupData = ParcelFileDescriptor.open(mBackupDataName,
2360                                ParcelFileDescriptor.MODE_READ_ONLY);
2361                        addBackupTrace("sending data to transport");
2362                        mStatus = mTransport.performBackup(mCurrentPackage, backupData);
2363                    }
2364
2365                    // TODO - We call finishBackup() for each application backed up, because
2366                    // we need to know now whether it succeeded or failed.  Instead, we should
2367                    // hold off on finishBackup() until the end, which implies holding off on
2368                    // renaming *all* the output state files (see below) until that happens.
2369
2370                    addBackupTrace("data delivered: " + mStatus);
2371                    if (mStatus == BackupConstants.TRANSPORT_OK) {
2372                        addBackupTrace("finishing op on transport");
2373                        mStatus = mTransport.finishBackup();
2374                        addBackupTrace("finished: " + mStatus);
2375                    }
2376                } else {
2377                    if (DEBUG) Slog.i(TAG, "no backup data written; not calling transport");
2378                    addBackupTrace("no data to send");
2379                }
2380
2381                // After successful transport, delete the now-stale data
2382                // and juggle the files so that next time we supply the agent
2383                // with the new state file it just created.
2384                if (mStatus == BackupConstants.TRANSPORT_OK) {
2385                    mBackupDataName.delete();
2386                    mNewStateName.renameTo(mSavedStateName);
2387                    EventLog.writeEvent(EventLogTags.BACKUP_PACKAGE,
2388                            mCurrentPackage.packageName, size);
2389                    logBackupComplete(mCurrentPackage.packageName);
2390                } else {
2391                    EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE,
2392                            mCurrentPackage.packageName);
2393                }
2394            } catch (Exception e) {
2395                Slog.e(TAG, "Transport error backing up " + mCurrentPackage.packageName, e);
2396                EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE,
2397                        mCurrentPackage.packageName);
2398                mStatus = BackupConstants.TRANSPORT_ERROR;
2399            } finally {
2400                try { if (backupData != null) backupData.close(); } catch (IOException e) {}
2401            }
2402
2403            // If we encountered an error here it's a transport-level failure.  That
2404            // means we need to halt everything and reschedule everything for next time.
2405            final BackupState nextState;
2406            if (mStatus != BackupConstants.TRANSPORT_OK) {
2407                revertAndEndBackup();
2408                nextState = BackupState.FINAL;
2409            } else {
2410                // Success!  Proceed with the next app if any, otherwise we're done.
2411                nextState = (mQueue.isEmpty()) ? BackupState.FINAL : BackupState.RUNNING_QUEUE;
2412            }
2413
2414            executeNextState(nextState);
2415        }
2416
2417        @Override
2418        public void handleTimeout() {
2419            // Whoops, the current agent timed out running doBackup().  Tidy up and restage
2420            // it for the next time we run a backup pass.
2421            // !!! TODO: keep track of failure counts per agent, and blacklist those which
2422            // fail repeatedly (i.e. have proved themselves to be buggy).
2423            Slog.e(TAG, "Timeout backing up " + mCurrentPackage.packageName);
2424            EventLog.writeEvent(EventLogTags.BACKUP_AGENT_FAILURE, mCurrentPackage.packageName,
2425                    "timeout");
2426            addBackupTrace("timeout of " + mCurrentPackage.packageName);
2427            agentErrorCleanup();
2428            dataChangedImpl(mCurrentPackage.packageName);
2429        }
2430
2431        void revertAndEndBackup() {
2432            if (MORE_DEBUG) Slog.i(TAG, "Reverting backup queue - restaging everything");
2433            addBackupTrace("transport error; reverting");
2434            for (BackupRequest request : mOriginalQueue) {
2435                dataChangedImpl(request.packageName);
2436            }
2437            // We also want to reset the backup schedule based on whatever
2438            // the transport suggests by way of retry/backoff time.
2439            restartBackupAlarm();
2440        }
2441
2442        void agentErrorCleanup() {
2443            mBackupDataName.delete();
2444            mNewStateName.delete();
2445            clearAgentState();
2446
2447            executeNextState(mQueue.isEmpty() ? BackupState.FINAL : BackupState.RUNNING_QUEUE);
2448        }
2449
2450        // Cleanup common to both success and failure cases
2451        void clearAgentState() {
2452            try { if (mSavedState != null) mSavedState.close(); } catch (IOException e) {}
2453            try { if (mBackupData != null) mBackupData.close(); } catch (IOException e) {}
2454            try { if (mNewState != null) mNewState.close(); } catch (IOException e) {}
2455            mSavedState = mBackupData = mNewState = null;
2456            synchronized (mCurrentOpLock) {
2457                mCurrentOperations.clear();
2458            }
2459
2460            // If this was a pseudopackage there's no associated Activity Manager state
2461            if (mCurrentPackage.applicationInfo != null) {
2462                addBackupTrace("unbinding " + mCurrentPackage.packageName);
2463                try {  // unbind even on timeout, just in case
2464                    mActivityManager.unbindBackupAgent(mCurrentPackage.applicationInfo);
2465                } catch (RemoteException e) { /* can't happen; activity manager is local */ }
2466            }
2467        }
2468
2469        void restartBackupAlarm() {
2470            addBackupTrace("setting backup trigger");
2471            synchronized (mQueueLock) {
2472                try {
2473                    startBackupAlarmsLocked(mTransport.requestBackupTime());
2474                } catch (RemoteException e) { /* cannot happen */ }
2475            }
2476        }
2477
2478        void executeNextState(BackupState nextState) {
2479            if (MORE_DEBUG) Slog.i(TAG, " => executing next step on "
2480                    + this + " nextState=" + nextState);
2481            addBackupTrace("executeNextState => " + nextState);
2482            mCurrentState = nextState;
2483            Message msg = mBackupHandler.obtainMessage(MSG_BACKUP_RESTORE_STEP, this);
2484            mBackupHandler.sendMessage(msg);
2485        }
2486    }
2487
2488
2489    // ----- Full backup/restore to a file/socket -----
2490
2491    abstract class ObbServiceClient {
2492        public IObbBackupService mObbService;
2493        public void setObbBinder(IObbBackupService binder) {
2494            mObbService = binder;
2495        }
2496    }
2497
2498    class FullBackupObbConnection implements ServiceConnection {
2499        volatile IObbBackupService mService;
2500
2501        FullBackupObbConnection() {
2502            mService = null;
2503        }
2504
2505        public void establish() {
2506            if (DEBUG) Slog.i(TAG, "Initiating bind of OBB service on " + this);
2507            Intent obbIntent = new Intent().setComponent(new ComponentName(
2508                    "com.android.sharedstoragebackup",
2509                    "com.android.sharedstoragebackup.ObbBackupService"));
2510            BackupManagerService.this.mContext.bindService(
2511                    obbIntent, this, Context.BIND_AUTO_CREATE);
2512        }
2513
2514        public void tearDown() {
2515            BackupManagerService.this.mContext.unbindService(this);
2516        }
2517
2518        public boolean backupObbs(PackageInfo pkg, OutputStream out) {
2519            boolean success = false;
2520            waitForConnection();
2521
2522            ParcelFileDescriptor[] pipes = null;
2523            try {
2524                pipes = ParcelFileDescriptor.createPipe();
2525                int token = generateToken();
2526                prepareOperationTimeout(token, TIMEOUT_FULL_BACKUP_INTERVAL, null);
2527                mService.backupObbs(pkg.packageName, pipes[1], token, mBackupManagerBinder);
2528                routeSocketDataToOutput(pipes[0], out);
2529                success = waitUntilOperationComplete(token);
2530            } catch (Exception e) {
2531                Slog.w(TAG, "Unable to back up OBBs for " + pkg, e);
2532            } finally {
2533                try {
2534                    out.flush();
2535                    if (pipes != null) {
2536                        if (pipes[0] != null) pipes[0].close();
2537                        if (pipes[1] != null) pipes[1].close();
2538                    }
2539                } catch (IOException e) {
2540                    Slog.w(TAG, "I/O error closing down OBB backup", e);
2541                }
2542            }
2543            return success;
2544        }
2545
2546        public void restoreObbFile(String pkgName, ParcelFileDescriptor data,
2547                long fileSize, int type, String path, long mode, long mtime,
2548                int token, IBackupManager callbackBinder) {
2549            waitForConnection();
2550
2551            try {
2552                mService.restoreObbFile(pkgName, data, fileSize, type, path, mode, mtime,
2553                        token, callbackBinder);
2554            } catch (Exception e) {
2555                Slog.w(TAG, "Unable to restore OBBs for " + pkgName, e);
2556            }
2557        }
2558
2559        private void waitForConnection() {
2560            synchronized (this) {
2561                while (mService == null) {
2562                    if (DEBUG) Slog.i(TAG, "...waiting for OBB service binding...");
2563                    try {
2564                        this.wait();
2565                    } catch (InterruptedException e) { /* never interrupted */ }
2566                }
2567                if (DEBUG) Slog.i(TAG, "Connected to OBB service; continuing");
2568            }
2569        }
2570
2571        @Override
2572        public void onServiceConnected(ComponentName name, IBinder service) {
2573            synchronized (this) {
2574                mService = IObbBackupService.Stub.asInterface(service);
2575                if (DEBUG) Slog.i(TAG, "OBB service connection " + mService
2576                        + " connected on " + this);
2577                this.notifyAll();
2578            }
2579        }
2580
2581        @Override
2582        public void onServiceDisconnected(ComponentName name) {
2583            synchronized (this) {
2584                mService = null;
2585                if (DEBUG) Slog.i(TAG, "OBB service connection disconnected on " + this);
2586                this.notifyAll();
2587            }
2588        }
2589        
2590    }
2591
2592    private void routeSocketDataToOutput(ParcelFileDescriptor inPipe, OutputStream out)
2593            throws IOException {
2594        FileInputStream raw = new FileInputStream(inPipe.getFileDescriptor());
2595        DataInputStream in = new DataInputStream(raw);
2596
2597        byte[] buffer = new byte[32 * 1024];
2598        int chunkTotal;
2599        while ((chunkTotal = in.readInt()) > 0) {
2600            while (chunkTotal > 0) {
2601                int toRead = (chunkTotal > buffer.length) ? buffer.length : chunkTotal;
2602                int nRead = in.read(buffer, 0, toRead);
2603                out.write(buffer, 0, nRead);
2604                chunkTotal -= nRead;
2605            }
2606        }
2607    }
2608
2609    class PerformFullBackupTask extends ObbServiceClient implements Runnable {
2610        ParcelFileDescriptor mOutputFile;
2611        DeflaterOutputStream mDeflater;
2612        IFullBackupRestoreObserver mObserver;
2613        boolean mIncludeApks;
2614        boolean mIncludeObbs;
2615        boolean mIncludeShared;
2616        boolean mAllApps;
2617        final boolean mIncludeSystem;
2618        String[] mPackages;
2619        String mCurrentPassword;
2620        String mEncryptPassword;
2621        AtomicBoolean mLatchObject;
2622        File mFilesDir;
2623        File mManifestFile;
2624        
2625
2626        class FullBackupRunner implements Runnable {
2627            PackageInfo mPackage;
2628            IBackupAgent mAgent;
2629            ParcelFileDescriptor mPipe;
2630            int mToken;
2631            boolean mSendApk;
2632            boolean mWriteManifest;
2633
2634            FullBackupRunner(PackageInfo pack, IBackupAgent agent, ParcelFileDescriptor pipe,
2635                    int token, boolean sendApk, boolean writeManifest)  throws IOException {
2636                mPackage = pack;
2637                mAgent = agent;
2638                mPipe = ParcelFileDescriptor.dup(pipe.getFileDescriptor());
2639                mToken = token;
2640                mSendApk = sendApk;
2641                mWriteManifest = writeManifest;
2642            }
2643
2644            @Override
2645            public void run() {
2646                try {
2647                    BackupDataOutput output = new BackupDataOutput(
2648                            mPipe.getFileDescriptor());
2649
2650                    if (mWriteManifest) {
2651                        if (MORE_DEBUG) Slog.d(TAG, "Writing manifest for " + mPackage.packageName);
2652                        writeAppManifest(mPackage, mManifestFile, mSendApk);
2653                        FullBackup.backupToTar(mPackage.packageName, null, null,
2654                                mFilesDir.getAbsolutePath(),
2655                                mManifestFile.getAbsolutePath(),
2656                                output);
2657                    }
2658
2659                    if (mSendApk) {
2660                        writeApkToBackup(mPackage, output);
2661                    }
2662
2663                    if (DEBUG) Slog.d(TAG, "Calling doFullBackup() on " + mPackage.packageName);
2664                    prepareOperationTimeout(mToken, TIMEOUT_FULL_BACKUP_INTERVAL, null);
2665                    mAgent.doFullBackup(mPipe, mToken, mBackupManagerBinder);
2666                } catch (IOException e) {
2667                    Slog.e(TAG, "Error running full backup for " + mPackage.packageName);
2668                } catch (RemoteException e) {
2669                    Slog.e(TAG, "Remote agent vanished during full backup of "
2670                            + mPackage.packageName);
2671                } finally {
2672                    try {
2673                        mPipe.close();
2674                    } catch (IOException e) {}
2675                }
2676            }
2677        }
2678
2679        PerformFullBackupTask(ParcelFileDescriptor fd, IFullBackupRestoreObserver observer, 
2680                boolean includeApks, boolean includeObbs, boolean includeShared,
2681                String curPassword, String encryptPassword, boolean doAllApps,
2682                boolean doSystem, String[] packages, AtomicBoolean latch) {
2683            mOutputFile = fd;
2684            mObserver = observer;
2685            mIncludeApks = includeApks;
2686            mIncludeObbs = includeObbs;
2687            mIncludeShared = includeShared;
2688            mAllApps = doAllApps;
2689            mIncludeSystem = doSystem;
2690            mPackages = packages;
2691            mCurrentPassword = curPassword;
2692            // when backing up, if there is a current backup password, we require that
2693            // the user use a nonempty encryption password as well.  if one is supplied
2694            // in the UI we use that, but if the UI was left empty we fall back to the
2695            // current backup password (which was supplied by the user as well).
2696            if (encryptPassword == null || "".equals(encryptPassword)) {
2697                mEncryptPassword = curPassword;
2698            } else {
2699                mEncryptPassword = encryptPassword;
2700            }
2701            mLatchObject = latch;
2702
2703            mFilesDir = new File("/data/system");
2704            mManifestFile = new File(mFilesDir, BACKUP_MANIFEST_FILENAME);
2705        }
2706
2707        @Override
2708        public void run() {
2709            Slog.i(TAG, "--- Performing full-dataset backup ---");
2710
2711            List<PackageInfo> packagesToBackup = new ArrayList<PackageInfo>();
2712            FullBackupObbConnection obbConnection = new FullBackupObbConnection();
2713            obbConnection.establish();  // we'll want this later
2714
2715            sendStartBackup();
2716
2717            // doAllApps supersedes the package set if any
2718            if (mAllApps) {
2719                packagesToBackup = mPackageManager.getInstalledPackages(
2720                        PackageManager.GET_SIGNATURES);
2721                // Exclude system apps if we've been asked to do so
2722                if (mIncludeSystem == false) {
2723                    for (int i = 0; i < packagesToBackup.size(); ) {
2724                        PackageInfo pkg = packagesToBackup.get(i);
2725                        if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
2726                            packagesToBackup.remove(i);
2727                        } else {
2728                            i++;
2729                        }
2730                    }
2731                }
2732            }
2733
2734            // Now process the command line argument packages, if any. Note that explicitly-
2735            // named system-partition packages will be included even if includeSystem was
2736            // set to false.
2737            if (mPackages != null) {
2738                for (String pkgName : mPackages) {
2739                    try {
2740                        packagesToBackup.add(mPackageManager.getPackageInfo(pkgName,
2741                                PackageManager.GET_SIGNATURES));
2742                    } catch (NameNotFoundException e) {
2743                        Slog.w(TAG, "Unknown package " + pkgName + ", skipping");
2744                    }
2745                }
2746            }
2747
2748            // Cull any packages that have indicated that backups are not permitted, as well
2749            // as any explicit mention of the 'special' shared-storage agent package (we
2750            // handle that one at the end).
2751            for (int i = 0; i < packagesToBackup.size(); ) {
2752                PackageInfo pkg = packagesToBackup.get(i);
2753                if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_BACKUP) == 0
2754                        || pkg.packageName.equals(SHARED_BACKUP_AGENT_PACKAGE)) {
2755                    packagesToBackup.remove(i);
2756                } else {
2757                    i++;
2758                }
2759            }
2760
2761            // Cull any packages that run as system-domain uids but do not define their
2762            // own backup agents
2763            for (int i = 0; i < packagesToBackup.size(); ) {
2764                PackageInfo pkg = packagesToBackup.get(i);
2765                if ((pkg.applicationInfo.uid < Process.FIRST_APPLICATION_UID)
2766                        && (pkg.applicationInfo.backupAgentName == null)) {
2767                    if (MORE_DEBUG) {
2768                        Slog.i(TAG, "... ignoring non-agent system package " + pkg.packageName);
2769                    }
2770                    packagesToBackup.remove(i);
2771                } else {
2772                    i++;
2773                }
2774            }
2775
2776            FileOutputStream ofstream = new FileOutputStream(mOutputFile.getFileDescriptor());
2777            OutputStream out = null;
2778
2779            PackageInfo pkg = null;
2780            try {
2781                boolean encrypting = (mEncryptPassword != null && mEncryptPassword.length() > 0);
2782                boolean compressing = COMPRESS_FULL_BACKUPS;
2783                OutputStream finalOutput = ofstream;
2784
2785                // Verify that the given password matches the currently-active
2786                // backup password, if any
2787                if (!backupPasswordMatches(mCurrentPassword)) {
2788                    if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
2789                    return;
2790                }
2791
2792                // Write the global file header.  All strings are UTF-8 encoded; lines end
2793                // with a '\n' byte.  Actual backup data begins immediately following the
2794                // final '\n'.
2795                //
2796                // line 1: "ANDROID BACKUP"
2797                // line 2: backup file format version, currently "2"
2798                // line 3: compressed?  "0" if not compressed, "1" if compressed.
2799                // line 4: name of encryption algorithm [currently only "none" or "AES-256"]
2800                //
2801                // When line 4 is not "none", then additional header data follows:
2802                //
2803                // line 5: user password salt [hex]
2804                // line 6: master key checksum salt [hex]
2805                // line 7: number of PBKDF2 rounds to use (same for user & master) [decimal]
2806                // line 8: IV of the user key [hex]
2807                // line 9: master key blob [hex]
2808                //     IV of the master key, master key itself, master key checksum hash
2809                //
2810                // The master key checksum is the master key plus its checksum salt, run through
2811                // 10k rounds of PBKDF2.  This is used to verify that the user has supplied the
2812                // correct password for decrypting the archive:  the master key decrypted from
2813                // the archive using the user-supplied password is also run through PBKDF2 in
2814                // this way, and if the result does not match the checksum as stored in the
2815                // archive, then we know that the user-supplied password does not match the
2816                // archive's.
2817                StringBuilder headerbuf = new StringBuilder(1024);
2818
2819                headerbuf.append(BACKUP_FILE_HEADER_MAGIC);
2820                headerbuf.append(BACKUP_FILE_VERSION); // integer, no trailing \n
2821                headerbuf.append(compressing ? "\n1\n" : "\n0\n");
2822
2823                try {
2824                    // Set up the encryption stage if appropriate, and emit the correct header
2825                    if (encrypting) {
2826                        finalOutput = emitAesBackupHeader(headerbuf, finalOutput);
2827                    } else {
2828                        headerbuf.append("none\n");
2829                    }
2830
2831                    byte[] header = headerbuf.toString().getBytes("UTF-8");
2832                    ofstream.write(header);
2833
2834                    // Set up the compression stage feeding into the encryption stage (if any)
2835                    if (compressing) {
2836                        Deflater deflater = new Deflater(Deflater.BEST_COMPRESSION);
2837                        finalOutput = new DeflaterOutputStream(finalOutput, deflater, true);
2838                    }
2839
2840                    out = finalOutput;
2841                } catch (Exception e) {
2842                    // Should never happen!
2843                    Slog.e(TAG, "Unable to emit archive header", e);
2844                    return;
2845                }
2846
2847                // Shared storage if requested
2848                if (mIncludeShared) {
2849                    try {
2850                        pkg = mPackageManager.getPackageInfo(SHARED_BACKUP_AGENT_PACKAGE, 0);
2851                        packagesToBackup.add(pkg);
2852                    } catch (NameNotFoundException e) {
2853                        Slog.e(TAG, "Unable to find shared-storage backup handler");
2854                    }
2855                }
2856
2857                // Now back up the app data via the agent mechanism
2858                int N = packagesToBackup.size();
2859                for (int i = 0; i < N; i++) {
2860                    pkg = packagesToBackup.get(i);
2861                    backupOnePackage(pkg, out);
2862
2863                    // after the app's agent runs to handle its private filesystem
2864                    // contents, back up any OBB content it has on its behalf.
2865                    if (mIncludeObbs) {
2866                        boolean obbOkay = obbConnection.backupObbs(pkg, out);
2867                        if (!obbOkay) {
2868                            throw new RuntimeException("Failure writing OBB stack for " + pkg);
2869                        }
2870                    }
2871                }
2872
2873                // Done!
2874                finalizeBackup(out);
2875            } catch (RemoteException e) {
2876                Slog.e(TAG, "App died during full backup");
2877            } catch (Exception e) {
2878                Slog.e(TAG, "Internal exception during full backup", e);
2879            } finally {
2880                tearDown(pkg);
2881                try {
2882                    if (out != null) out.close();
2883                    mOutputFile.close();
2884                } catch (IOException e) {
2885                    /* nothing we can do about this */
2886                }
2887                synchronized (mCurrentOpLock) {
2888                    mCurrentOperations.clear();
2889                }
2890                synchronized (mLatchObject) {
2891                    mLatchObject.set(true);
2892                    mLatchObject.notifyAll();
2893                }
2894                sendEndBackup();
2895                obbConnection.tearDown();
2896                if (DEBUG) Slog.d(TAG, "Full backup pass complete.");
2897                mWakelock.release();
2898            }
2899        }
2900
2901        private OutputStream emitAesBackupHeader(StringBuilder headerbuf,
2902                OutputStream ofstream) throws Exception {
2903            // User key will be used to encrypt the master key.
2904            byte[] newUserSalt = randomBytes(PBKDF2_SALT_SIZE);
2905            SecretKey userKey = buildPasswordKey(PBKDF_CURRENT, mEncryptPassword, newUserSalt,
2906                    PBKDF2_HASH_ROUNDS);
2907
2908            // the master key is random for each backup
2909            byte[] masterPw = new byte[256 / 8];
2910            mRng.nextBytes(masterPw);
2911            byte[] checksumSalt = randomBytes(PBKDF2_SALT_SIZE);
2912
2913            // primary encryption of the datastream with the random key
2914            Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
2915            SecretKeySpec masterKeySpec = new SecretKeySpec(masterPw, "AES");
2916            c.init(Cipher.ENCRYPT_MODE, masterKeySpec);
2917            OutputStream finalOutput = new CipherOutputStream(ofstream, c);
2918
2919            // line 4: name of encryption algorithm
2920            headerbuf.append(ENCRYPTION_ALGORITHM_NAME);
2921            headerbuf.append('\n');
2922            // line 5: user password salt [hex]
2923            headerbuf.append(byteArrayToHex(newUserSalt));
2924            headerbuf.append('\n');
2925            // line 6: master key checksum salt [hex]
2926            headerbuf.append(byteArrayToHex(checksumSalt));
2927            headerbuf.append('\n');
2928            // line 7: number of PBKDF2 rounds used [decimal]
2929            headerbuf.append(PBKDF2_HASH_ROUNDS);
2930            headerbuf.append('\n');
2931
2932            // line 8: IV of the user key [hex]
2933            Cipher mkC = Cipher.getInstance("AES/CBC/PKCS5Padding");
2934            mkC.init(Cipher.ENCRYPT_MODE, userKey);
2935
2936            byte[] IV = mkC.getIV();
2937            headerbuf.append(byteArrayToHex(IV));
2938            headerbuf.append('\n');
2939
2940            // line 9: master IV + key blob, encrypted by the user key [hex].  Blob format:
2941            //    [byte] IV length = Niv
2942            //    [array of Niv bytes] IV itself
2943            //    [byte] master key length = Nmk
2944            //    [array of Nmk bytes] master key itself
2945            //    [byte] MK checksum hash length = Nck
2946            //    [array of Nck bytes] master key checksum hash
2947            //
2948            // The checksum is the (master key + checksum salt), run through the
2949            // stated number of PBKDF2 rounds
2950            IV = c.getIV();
2951            byte[] mk = masterKeySpec.getEncoded();
2952            byte[] checksum = makeKeyChecksum(PBKDF_CURRENT, masterKeySpec.getEncoded(),
2953                    checksumSalt, PBKDF2_HASH_ROUNDS);
2954
2955            ByteArrayOutputStream blob = new ByteArrayOutputStream(IV.length + mk.length
2956                    + checksum.length + 3);
2957            DataOutputStream mkOut = new DataOutputStream(blob);
2958            mkOut.writeByte(IV.length);
2959            mkOut.write(IV);
2960            mkOut.writeByte(mk.length);
2961            mkOut.write(mk);
2962            mkOut.writeByte(checksum.length);
2963            mkOut.write(checksum);
2964            mkOut.flush();
2965            byte[] encryptedMk = mkC.doFinal(blob.toByteArray());
2966            headerbuf.append(byteArrayToHex(encryptedMk));
2967            headerbuf.append('\n');
2968
2969            return finalOutput;
2970        }
2971
2972        private void backupOnePackage(PackageInfo pkg, OutputStream out)
2973                throws RemoteException {
2974            Slog.d(TAG, "Binding to full backup agent : " + pkg.packageName);
2975
2976            IBackupAgent agent = bindToAgentSynchronous(pkg.applicationInfo,
2977                    IApplicationThread.BACKUP_MODE_FULL);
2978            if (agent != null) {
2979                ParcelFileDescriptor[] pipes = null;
2980                try {
2981                    pipes = ParcelFileDescriptor.createPipe();
2982
2983                    ApplicationInfo app = pkg.applicationInfo;
2984                    final boolean isSharedStorage = pkg.packageName.equals(SHARED_BACKUP_AGENT_PACKAGE);
2985                    final boolean sendApk = mIncludeApks
2986                            && !isSharedStorage
2987                            && ((app.flags & ApplicationInfo.FLAG_FORWARD_LOCK) == 0)
2988                            && ((app.flags & ApplicationInfo.FLAG_SYSTEM) == 0 ||
2989                                (app.flags & ApplicationInfo.FLAG_UPDATED_SYSTEM_APP) != 0);
2990
2991                    sendOnBackupPackage(isSharedStorage ? "Shared storage" : pkg.packageName);
2992
2993                    final int token = generateToken();
2994                    FullBackupRunner runner = new FullBackupRunner(pkg, agent, pipes[1],
2995                            token, sendApk, !isSharedStorage);
2996                    pipes[1].close();   // the runner has dup'd it
2997                    pipes[1] = null;
2998                    Thread t = new Thread(runner);
2999                    t.start();
3000
3001                    // Now pull data from the app and stuff it into the compressor
3002                    try {
3003                        routeSocketDataToOutput(pipes[0], out);
3004                    } catch (IOException e) {
3005                        Slog.i(TAG, "Caught exception reading from agent", e);
3006                    }
3007
3008                    if (!waitUntilOperationComplete(token)) {
3009                        Slog.e(TAG, "Full backup failed on package " + pkg.packageName);
3010                    } else {
3011                        if (DEBUG) Slog.d(TAG, "Full package backup success: " + pkg.packageName);
3012                    }
3013
3014                } catch (IOException e) {
3015                    Slog.e(TAG, "Error backing up " + pkg.packageName, e);
3016                } finally {
3017                    try {
3018                        // flush after every package
3019                        out.flush();
3020                        if (pipes != null) {
3021                            if (pipes[0] != null) pipes[0].close();
3022                            if (pipes[1] != null) pipes[1].close();
3023                        }
3024                    } catch (IOException e) {
3025                        Slog.w(TAG, "Error bringing down backup stack");
3026                    }
3027                }
3028            } else {
3029                Slog.w(TAG, "Unable to bind to full agent for " + pkg.packageName);
3030            }
3031            tearDown(pkg);
3032        }
3033
3034        private void writeApkToBackup(PackageInfo pkg, BackupDataOutput output) {
3035            // Forward-locked apps, system-bundled .apks, etc are filtered out before we get here
3036            final String appSourceDir = pkg.applicationInfo.sourceDir;
3037            final String apkDir = new File(appSourceDir).getParent();
3038            FullBackup.backupToTar(pkg.packageName, FullBackup.APK_TREE_TOKEN, null,
3039                    apkDir, appSourceDir, output);
3040
3041            // TODO: migrate this to SharedStorageBackup, since AID_SYSTEM
3042            // doesn't have access to external storage.
3043
3044            // Save associated .obb content if it exists and we did save the apk
3045            // check for .obb and save those too
3046            final UserEnvironment userEnv = new UserEnvironment(UserHandle.USER_OWNER);
3047            final File obbDir = userEnv.buildExternalStorageAppObbDirs(pkg.packageName)[0];
3048            if (obbDir != null) {
3049                if (MORE_DEBUG) Log.i(TAG, "obb dir: " + obbDir.getAbsolutePath());
3050                File[] obbFiles = obbDir.listFiles();
3051                if (obbFiles != null) {
3052                    final String obbDirName = obbDir.getAbsolutePath();
3053                    for (File obb : obbFiles) {
3054                        FullBackup.backupToTar(pkg.packageName, FullBackup.OBB_TREE_TOKEN, null,
3055                                obbDirName, obb.getAbsolutePath(), output);
3056                    }
3057                }
3058            }
3059        }
3060
3061        private void finalizeBackup(OutputStream out) {
3062            try {
3063                // A standard 'tar' EOF sequence: two 512-byte blocks of all zeroes.
3064                byte[] eof = new byte[512 * 2]; // newly allocated == zero filled
3065                out.write(eof);
3066            } catch (IOException e) {
3067                Slog.w(TAG, "Error attempting to finalize backup stream");
3068            }
3069        }
3070
3071        private void writeAppManifest(PackageInfo pkg, File manifestFile, boolean withApk)
3072                throws IOException {
3073            // Manifest format. All data are strings ending in LF:
3074            //     BACKUP_MANIFEST_VERSION, currently 1
3075            //
3076            // Version 1:
3077            //     package name
3078            //     package's versionCode
3079            //     platform versionCode
3080            //     getInstallerPackageName() for this package (maybe empty)
3081            //     boolean: "1" if archive includes .apk; any other string means not
3082            //     number of signatures == N
3083            // N*:    signature byte array in ascii format per Signature.toCharsString()
3084            StringBuilder builder = new StringBuilder(4096);
3085            StringBuilderPrinter printer = new StringBuilderPrinter(builder);
3086
3087            printer.println(Integer.toString(BACKUP_MANIFEST_VERSION));
3088            printer.println(pkg.packageName);
3089            printer.println(Integer.toString(pkg.versionCode));
3090            printer.println(Integer.toString(Build.VERSION.SDK_INT));
3091
3092            String installerName = mPackageManager.getInstallerPackageName(pkg.packageName);
3093            printer.println((installerName != null) ? installerName : "");
3094
3095            printer.println(withApk ? "1" : "0");
3096            if (pkg.signatures == null) {
3097                printer.println("0");
3098            } else {
3099                printer.println(Integer.toString(pkg.signatures.length));
3100                for (Signature sig : pkg.signatures) {
3101                    printer.println(sig.toCharsString());
3102                }
3103            }
3104
3105            FileOutputStream outstream = new FileOutputStream(manifestFile);
3106            outstream.write(builder.toString().getBytes());
3107            outstream.close();
3108        }
3109
3110        private void tearDown(PackageInfo pkg) {
3111            if (pkg != null) {
3112                final ApplicationInfo app = pkg.applicationInfo;
3113                if (app != null) {
3114                    try {
3115                        // unbind and tidy up even on timeout or failure, just in case
3116                        mActivityManager.unbindBackupAgent(app);
3117
3118                        // The agent was running with a stub Application object, so shut it down.
3119                        if (app.uid != Process.SYSTEM_UID
3120                                && app.uid != Process.PHONE_UID) {
3121                            if (MORE_DEBUG) Slog.d(TAG, "Backup complete, killing host process");
3122                            mActivityManager.killApplicationProcess(app.processName, app.uid);
3123                        } else {
3124                            if (MORE_DEBUG) Slog.d(TAG, "Not killing after restore: " + app.processName);
3125                        }
3126                    } catch (RemoteException e) {
3127                        Slog.d(TAG, "Lost app trying to shut down");
3128                    }
3129                }
3130            }
3131        }
3132
3133        // wrappers for observer use
3134        void sendStartBackup() {
3135            if (mObserver != null) {
3136                try {
3137                    mObserver.onStartBackup();
3138                } catch (RemoteException e) {
3139                    Slog.w(TAG, "full backup observer went away: startBackup");
3140                    mObserver = null;
3141                }
3142            }
3143        }
3144
3145        void sendOnBackupPackage(String name) {
3146            if (mObserver != null) {
3147                try {
3148                    // TODO: use a more user-friendly name string
3149                    mObserver.onBackupPackage(name);
3150                } catch (RemoteException e) {
3151                    Slog.w(TAG, "full backup observer went away: backupPackage");
3152                    mObserver = null;
3153                }
3154            }
3155        }
3156
3157        void sendEndBackup() {
3158            if (mObserver != null) {
3159                try {
3160                    mObserver.onEndBackup();
3161                } catch (RemoteException e) {
3162                    Slog.w(TAG, "full backup observer went away: endBackup");
3163                    mObserver = null;
3164                }
3165            }
3166        }
3167    }
3168
3169
3170    // ----- Full restore from a file/socket -----
3171
3172    // Description of a file in the restore datastream
3173    static class FileMetadata {
3174        String packageName;             // name of the owning app
3175        String installerPackageName;    // name of the market-type app that installed the owner
3176        int type;                       // e.g. BackupAgent.TYPE_DIRECTORY
3177        String domain;                  // e.g. FullBackup.DATABASE_TREE_TOKEN
3178        String path;                    // subpath within the semantic domain
3179        long mode;                      // e.g. 0666 (actually int)
3180        long mtime;                     // last mod time, UTC time_t (actually int)
3181        long size;                      // bytes of content
3182
3183        @Override
3184        public String toString() {
3185            StringBuilder sb = new StringBuilder(128);
3186            sb.append("FileMetadata{");
3187            sb.append(packageName); sb.append(',');
3188            sb.append(type); sb.append(',');
3189            sb.append(domain); sb.append(':'); sb.append(path); sb.append(',');
3190            sb.append(size);
3191            sb.append('}');
3192            return sb.toString();
3193        }
3194    }
3195
3196    enum RestorePolicy {
3197        IGNORE,
3198        ACCEPT,
3199        ACCEPT_IF_APK
3200    }
3201
3202    class PerformFullRestoreTask extends ObbServiceClient implements Runnable {
3203        ParcelFileDescriptor mInputFile;
3204        String mCurrentPassword;
3205        String mDecryptPassword;
3206        IFullBackupRestoreObserver mObserver;
3207        AtomicBoolean mLatchObject;
3208        IBackupAgent mAgent;
3209        String mAgentPackage;
3210        ApplicationInfo mTargetApp;
3211        FullBackupObbConnection mObbConnection = null;
3212        ParcelFileDescriptor[] mPipes = null;
3213
3214        long mBytes;
3215
3216        // possible handling states for a given package in the restore dataset
3217        final HashMap<String, RestorePolicy> mPackagePolicies
3218                = new HashMap<String, RestorePolicy>();
3219
3220        // installer package names for each encountered app, derived from the manifests
3221        final HashMap<String, String> mPackageInstallers = new HashMap<String, String>();
3222
3223        // Signatures for a given package found in its manifest file
3224        final HashMap<String, Signature[]> mManifestSignatures
3225                = new HashMap<String, Signature[]>();
3226
3227        // Packages we've already wiped data on when restoring their first file
3228        final HashSet<String> mClearedPackages = new HashSet<String>();
3229
3230        PerformFullRestoreTask(ParcelFileDescriptor fd, String curPassword, String decryptPassword,
3231                IFullBackupRestoreObserver observer, AtomicBoolean latch) {
3232            mInputFile = fd;
3233            mCurrentPassword = curPassword;
3234            mDecryptPassword = decryptPassword;
3235            mObserver = observer;
3236            mLatchObject = latch;
3237            mAgent = null;
3238            mAgentPackage = null;
3239            mTargetApp = null;
3240            mObbConnection = new FullBackupObbConnection();
3241
3242            // Which packages we've already wiped data on.  We prepopulate this
3243            // with a whitelist of packages known to be unclearable.
3244            mClearedPackages.add("android");
3245            mClearedPackages.add("com.android.providers.settings");
3246
3247        }
3248
3249        class RestoreFileRunnable implements Runnable {
3250            IBackupAgent mAgent;
3251            FileMetadata mInfo;
3252            ParcelFileDescriptor mSocket;
3253            int mToken;
3254
3255            RestoreFileRunnable(IBackupAgent agent, FileMetadata info,
3256                    ParcelFileDescriptor socket, int token) throws IOException {
3257                mAgent = agent;
3258                mInfo = info;
3259                mToken = token;
3260
3261                // This class is used strictly for process-local binder invocations.  The
3262                // semantics of ParcelFileDescriptor differ in this case; in particular, we
3263                // do not automatically get a 'dup'ed descriptor that we can can continue
3264                // to use asynchronously from the caller.  So, we make sure to dup it ourselves
3265                // before proceeding to do the restore.
3266                mSocket = ParcelFileDescriptor.dup(socket.getFileDescriptor());
3267            }
3268
3269            @Override
3270            public void run() {
3271                try {
3272                    mAgent.doRestoreFile(mSocket, mInfo.size, mInfo.type,
3273                            mInfo.domain, mInfo.path, mInfo.mode, mInfo.mtime,
3274                            mToken, mBackupManagerBinder);
3275                } catch (RemoteException e) {
3276                    // never happens; this is used strictly for local binder calls
3277                }
3278            }
3279        }
3280
3281        @Override
3282        public void run() {
3283            Slog.i(TAG, "--- Performing full-dataset restore ---");
3284            mObbConnection.establish();
3285            sendStartRestore();
3286
3287            // Are we able to restore shared-storage data?
3288            if (Environment.getExternalStorageState().equals(Environment.MEDIA_MOUNTED)) {
3289                mPackagePolicies.put(SHARED_BACKUP_AGENT_PACKAGE, RestorePolicy.ACCEPT);
3290            }
3291
3292            FileInputStream rawInStream = null;
3293            DataInputStream rawDataIn = null;
3294            try {
3295                if (!backupPasswordMatches(mCurrentPassword)) {
3296                    if (DEBUG) Slog.w(TAG, "Backup password mismatch; aborting");
3297                    return;
3298                }
3299
3300                mBytes = 0;
3301                byte[] buffer = new byte[32 * 1024];
3302                rawInStream = new FileInputStream(mInputFile.getFileDescriptor());
3303                rawDataIn = new DataInputStream(rawInStream);
3304
3305                // First, parse out the unencrypted/uncompressed header
3306                boolean compressed = false;
3307                InputStream preCompressStream = rawInStream;
3308                final InputStream in;
3309
3310                boolean okay = false;
3311                final int headerLen = BACKUP_FILE_HEADER_MAGIC.length();
3312                byte[] streamHeader = new byte[headerLen];
3313                rawDataIn.readFully(streamHeader);
3314                byte[] magicBytes = BACKUP_FILE_HEADER_MAGIC.getBytes("UTF-8");
3315                if (Arrays.equals(magicBytes, streamHeader)) {
3316                    // okay, header looks good.  now parse out the rest of the fields.
3317                    String s = readHeaderLine(rawInStream);
3318                    final int archiveVersion = Integer.parseInt(s);
3319                    if (archiveVersion <= BACKUP_FILE_VERSION) {
3320                        // okay, it's a version we recognize.  if it's version 1, we may need
3321                        // to try two different PBKDF2 regimes to compare checksums.
3322                        final boolean pbkdf2Fallback = (archiveVersion == 1);
3323
3324                        s = readHeaderLine(rawInStream);
3325                        compressed = (Integer.parseInt(s) != 0);
3326                        s = readHeaderLine(rawInStream);
3327                        if (s.equals("none")) {
3328                            // no more header to parse; we're good to go
3329                            okay = true;
3330                        } else if (mDecryptPassword != null && mDecryptPassword.length() > 0) {
3331                            preCompressStream = decodeAesHeaderAndInitialize(s, pbkdf2Fallback,
3332                                    rawInStream);
3333                            if (preCompressStream != null) {
3334                                okay = true;
3335                            }
3336                        } else Slog.w(TAG, "Archive is encrypted but no password given");
3337                    } else Slog.w(TAG, "Wrong header version: " + s);
3338                } else Slog.w(TAG, "Didn't read the right header magic");
3339
3340                if (!okay) {
3341                    Slog.w(TAG, "Invalid restore data; aborting.");
3342                    return;
3343                }
3344
3345                // okay, use the right stream layer based on compression
3346                in = (compressed) ? new InflaterInputStream(preCompressStream) : preCompressStream;
3347
3348                boolean didRestore;
3349                do {
3350                    didRestore = restoreOneFile(in, buffer);
3351                } while (didRestore);
3352
3353                if (MORE_DEBUG) Slog.v(TAG, "Done consuming input tarfile, total bytes=" + mBytes);
3354            } catch (IOException e) {
3355                Slog.e(TAG, "Unable to read restore input");
3356            } finally {
3357                tearDownPipes();
3358                tearDownAgent(mTargetApp);
3359
3360                try {
3361                    if (rawDataIn != null) rawDataIn.close();
3362                    if (rawInStream != null) rawInStream.close();
3363                    mInputFile.close();
3364                } catch (IOException e) {
3365                    Slog.w(TAG, "Close of restore data pipe threw", e);
3366                    /* nothing we can do about this */
3367                }
3368                synchronized (mCurrentOpLock) {
3369                    mCurrentOperations.clear();
3370                }
3371                synchronized (mLatchObject) {
3372                    mLatchObject.set(true);
3373                    mLatchObject.notifyAll();
3374                }
3375                mObbConnection.tearDown();
3376                sendEndRestore();
3377                Slog.d(TAG, "Full restore pass complete.");
3378                mWakelock.release();
3379            }
3380        }
3381
3382        String readHeaderLine(InputStream in) throws IOException {
3383            int c;
3384            StringBuilder buffer = new StringBuilder(80);
3385            while ((c = in.read()) >= 0) {
3386                if (c == '\n') break;   // consume and discard the newlines
3387                buffer.append((char)c);
3388            }
3389            return buffer.toString();
3390        }
3391
3392        InputStream attemptMasterKeyDecryption(String algorithm, byte[] userSalt, byte[] ckSalt,
3393                int rounds, String userIvHex, String masterKeyBlobHex, InputStream rawInStream,
3394                boolean doLog) {
3395            InputStream result = null;
3396
3397            try {
3398                Cipher c = Cipher.getInstance("AES/CBC/PKCS5Padding");
3399                SecretKey userKey = buildPasswordKey(algorithm, mDecryptPassword, userSalt,
3400                        rounds);
3401                byte[] IV = hexToByteArray(userIvHex);
3402                IvParameterSpec ivSpec = new IvParameterSpec(IV);
3403                c.init(Cipher.DECRYPT_MODE,
3404                        new SecretKeySpec(userKey.getEncoded(), "AES"),
3405                        ivSpec);
3406                byte[] mkCipher = hexToByteArray(masterKeyBlobHex);
3407                byte[] mkBlob = c.doFinal(mkCipher);
3408
3409                // first, the master key IV
3410                int offset = 0;
3411                int len = mkBlob[offset++];
3412                IV = Arrays.copyOfRange(mkBlob, offset, offset + len);
3413                offset += len;
3414                // then the master key itself
3415                len = mkBlob[offset++];
3416                byte[] mk = Arrays.copyOfRange(mkBlob,
3417                        offset, offset + len);
3418                offset += len;
3419                // and finally the master key checksum hash
3420                len = mkBlob[offset++];
3421                byte[] mkChecksum = Arrays.copyOfRange(mkBlob,
3422                        offset, offset + len);
3423
3424                // now validate the decrypted master key against the checksum
3425                byte[] calculatedCk = makeKeyChecksum(algorithm, mk, ckSalt, rounds);
3426                if (Arrays.equals(calculatedCk, mkChecksum)) {
3427                    ivSpec = new IvParameterSpec(IV);
3428                    c.init(Cipher.DECRYPT_MODE,
3429                            new SecretKeySpec(mk, "AES"),
3430                            ivSpec);
3431                    // Only if all of the above worked properly will 'result' be assigned
3432                    result = new CipherInputStream(rawInStream, c);
3433                } else if (doLog) Slog.w(TAG, "Incorrect password");
3434            } catch (InvalidAlgorithmParameterException e) {
3435                if (doLog) Slog.e(TAG, "Needed parameter spec unavailable!", e);
3436            } catch (BadPaddingException e) {
3437                // This case frequently occurs when the wrong password is used to decrypt
3438                // the master key.  Use the identical "incorrect password" log text as is
3439                // used in the checksum failure log in order to avoid providing additional
3440                // information to an attacker.
3441                if (doLog) Slog.w(TAG, "Incorrect password");
3442            } catch (IllegalBlockSizeException e) {
3443                if (doLog) Slog.w(TAG, "Invalid block size in master key");
3444            } catch (NoSuchAlgorithmException e) {
3445                if (doLog) Slog.e(TAG, "Needed decryption algorithm unavailable!");
3446            } catch (NoSuchPaddingException e) {
3447                if (doLog) Slog.e(TAG, "Needed padding mechanism unavailable!");
3448            } catch (InvalidKeyException e) {
3449                if (doLog) Slog.w(TAG, "Illegal password; aborting");
3450            }
3451
3452            return result;
3453        }
3454
3455        InputStream decodeAesHeaderAndInitialize(String encryptionName, boolean pbkdf2Fallback,
3456                InputStream rawInStream) {
3457            InputStream result = null;
3458            try {
3459                if (encryptionName.equals(ENCRYPTION_ALGORITHM_NAME)) {
3460
3461                    String userSaltHex = readHeaderLine(rawInStream); // 5
3462                    byte[] userSalt = hexToByteArray(userSaltHex);
3463
3464                    String ckSaltHex = readHeaderLine(rawInStream); // 6
3465                    byte[] ckSalt = hexToByteArray(ckSaltHex);
3466
3467                    int rounds = Integer.parseInt(readHeaderLine(rawInStream)); // 7
3468                    String userIvHex = readHeaderLine(rawInStream); // 8
3469
3470                    String masterKeyBlobHex = readHeaderLine(rawInStream); // 9
3471
3472                    // decrypt the master key blob
3473                    result = attemptMasterKeyDecryption(PBKDF_CURRENT, userSalt, ckSalt,
3474                            rounds, userIvHex, masterKeyBlobHex, rawInStream, false);
3475                    if (result == null && pbkdf2Fallback) {
3476                        result = attemptMasterKeyDecryption(PBKDF_FALLBACK, userSalt, ckSalt,
3477                                rounds, userIvHex, masterKeyBlobHex, rawInStream, true);
3478                    }
3479                } else Slog.w(TAG, "Unsupported encryption method: " + encryptionName);
3480            } catch (NumberFormatException e) {
3481                Slog.w(TAG, "Can't parse restore data header");
3482            } catch (IOException e) {
3483                Slog.w(TAG, "Can't read input header");
3484            }
3485
3486            return result;
3487        }
3488
3489        boolean restoreOneFile(InputStream instream, byte[] buffer) {
3490            FileMetadata info;
3491            try {
3492                info = readTarHeaders(instream);
3493                if (info != null) {
3494                    if (MORE_DEBUG) {
3495                        dumpFileMetadata(info);
3496                    }
3497
3498                    final String pkg = info.packageName;
3499                    if (!pkg.equals(mAgentPackage)) {
3500                        // okay, change in package; set up our various
3501                        // bookkeeping if we haven't seen it yet
3502                        if (!mPackagePolicies.containsKey(pkg)) {
3503                            mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
3504                        }
3505
3506                        // Clean up the previous agent relationship if necessary,
3507                        // and let the observer know we're considering a new app.
3508                        if (mAgent != null) {
3509                            if (DEBUG) Slog.d(TAG, "Saw new package; tearing down old one");
3510                            tearDownPipes();
3511                            tearDownAgent(mTargetApp);
3512                            mTargetApp = null;
3513                            mAgentPackage = null;
3514                        }
3515                    }
3516
3517                    if (info.path.equals(BACKUP_MANIFEST_FILENAME)) {
3518                        mPackagePolicies.put(pkg, readAppManifest(info, instream));
3519                        mPackageInstallers.put(pkg, info.installerPackageName);
3520                        // We've read only the manifest content itself at this point,
3521                        // so consume the footer before looping around to the next
3522                        // input file
3523                        skipTarPadding(info.size, instream);
3524                        sendOnRestorePackage(pkg);
3525                    } else {
3526                        // Non-manifest, so it's actual file data.  Is this a package
3527                        // we're ignoring?
3528                        boolean okay = true;
3529                        RestorePolicy policy = mPackagePolicies.get(pkg);
3530                        switch (policy) {
3531                            case IGNORE:
3532                                okay = false;
3533                                break;
3534
3535                            case ACCEPT_IF_APK:
3536                                // If we're in accept-if-apk state, then the first file we
3537                                // see MUST be the apk.
3538                                if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
3539                                    if (DEBUG) Slog.d(TAG, "APK file; installing");
3540                                    // Try to install the app.
3541                                    String installerName = mPackageInstallers.get(pkg);
3542                                    okay = installApk(info, installerName, instream);
3543                                    // good to go; promote to ACCEPT
3544                                    mPackagePolicies.put(pkg, (okay)
3545                                            ? RestorePolicy.ACCEPT
3546                                            : RestorePolicy.IGNORE);
3547                                    // At this point we've consumed this file entry
3548                                    // ourselves, so just strip the tar footer and
3549                                    // go on to the next file in the input stream
3550                                    skipTarPadding(info.size, instream);
3551                                    return true;
3552                                } else {
3553                                    // File data before (or without) the apk.  We can't
3554                                    // handle it coherently in this case so ignore it.
3555                                    mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
3556                                    okay = false;
3557                                }
3558                                break;
3559
3560                            case ACCEPT:
3561                                if (info.domain.equals(FullBackup.APK_TREE_TOKEN)) {
3562                                    if (DEBUG) Slog.d(TAG, "apk present but ACCEPT");
3563                                    // we can take the data without the apk, so we
3564                                    // *want* to do so.  skip the apk by declaring this
3565                                    // one file not-okay without changing the restore
3566                                    // policy for the package.
3567                                    okay = false;
3568                                }
3569                                break;
3570
3571                            default:
3572                                // Something has gone dreadfully wrong when determining
3573                                // the restore policy from the manifest.  Ignore the
3574                                // rest of this package's data.
3575                                Slog.e(TAG, "Invalid policy from manifest");
3576                                okay = false;
3577                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
3578                                break;
3579                        }
3580
3581                        // If the policy is satisfied, go ahead and set up to pipe the
3582                        // data to the agent.
3583                        if (DEBUG && okay && mAgent != null) {
3584                            Slog.i(TAG, "Reusing existing agent instance");
3585                        }
3586                        if (okay && mAgent == null) {
3587                            if (DEBUG) Slog.d(TAG, "Need to launch agent for " + pkg);
3588
3589                            try {
3590                                mTargetApp = mPackageManager.getApplicationInfo(pkg, 0);
3591
3592                                // If we haven't sent any data to this app yet, we probably
3593                                // need to clear it first.  Check that.
3594                                if (!mClearedPackages.contains(pkg)) {
3595                                    // apps with their own backup agents are
3596                                    // responsible for coherently managing a full
3597                                    // restore.
3598                                    if (mTargetApp.backupAgentName == null) {
3599                                        if (DEBUG) Slog.d(TAG, "Clearing app data preparatory to full restore");
3600                                        clearApplicationDataSynchronous(pkg);
3601                                    } else {
3602                                        if (DEBUG) Slog.d(TAG, "backup agent ("
3603                                                + mTargetApp.backupAgentName + ") => no clear");
3604                                    }
3605                                    mClearedPackages.add(pkg);
3606                                } else {
3607                                    if (DEBUG) Slog.d(TAG, "We've initialized this app already; no clear required");
3608                                }
3609
3610                                // All set; now set up the IPC and launch the agent
3611                                setUpPipes();
3612                                mAgent = bindToAgentSynchronous(mTargetApp,
3613                                        IApplicationThread.BACKUP_MODE_RESTORE_FULL);
3614                                mAgentPackage = pkg;
3615                            } catch (IOException e) {
3616                                // fall through to error handling
3617                            } catch (NameNotFoundException e) {
3618                                // fall through to error handling
3619                            }
3620
3621                            if (mAgent == null) {
3622                                if (DEBUG) Slog.d(TAG, "Unable to create agent for " + pkg);
3623                                okay = false;
3624                                tearDownPipes();
3625                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
3626                            }
3627                        }
3628
3629                        // Sanity check: make sure we never give data to the wrong app.  This
3630                        // should never happen but a little paranoia here won't go amiss.
3631                        if (okay && !pkg.equals(mAgentPackage)) {
3632                            Slog.e(TAG, "Restoring data for " + pkg
3633                                    + " but agent is for " + mAgentPackage);
3634                            okay = false;
3635                        }
3636
3637                        // At this point we have an agent ready to handle the full
3638                        // restore data as well as a pipe for sending data to
3639                        // that agent.  Tell the agent to start reading from the
3640                        // pipe.
3641                        if (okay) {
3642                            boolean agentSuccess = true;
3643                            long toCopy = info.size;
3644                            final int token = generateToken();
3645                            try {
3646                                prepareOperationTimeout(token, TIMEOUT_FULL_BACKUP_INTERVAL, null);
3647                                if (info.domain.equals(FullBackup.OBB_TREE_TOKEN)) {
3648                                    if (DEBUG) Slog.d(TAG, "Restoring OBB file for " + pkg
3649                                            + " : " + info.path);
3650                                    mObbConnection.restoreObbFile(pkg, mPipes[0],
3651                                            info.size, info.type, info.path, info.mode,
3652                                            info.mtime, token, mBackupManagerBinder);
3653                                } else {
3654                                    if (DEBUG) Slog.d(TAG, "Invoking agent to restore file "
3655                                            + info.path);
3656                                    // fire up the app's agent listening on the socket.  If
3657                                    // the agent is running in the system process we can't
3658                                    // just invoke it asynchronously, so we provide a thread
3659                                    // for it here.
3660                                    if (mTargetApp.processName.equals("system")) {
3661                                        Slog.d(TAG, "system process agent - spinning a thread");
3662                                        RestoreFileRunnable runner = new RestoreFileRunnable(
3663                                                mAgent, info, mPipes[0], token);
3664                                        new Thread(runner).start();
3665                                    } else {
3666                                        mAgent.doRestoreFile(mPipes[0], info.size, info.type,
3667                                                info.domain, info.path, info.mode, info.mtime,
3668                                                token, mBackupManagerBinder);
3669                                    }
3670                                }
3671                            } catch (IOException e) {
3672                                // couldn't dup the socket for a process-local restore
3673                                Slog.d(TAG, "Couldn't establish restore");
3674                                agentSuccess = false;
3675                                okay = false;
3676                            } catch (RemoteException e) {
3677                                // whoops, remote entity went away.  We'll eat the content
3678                                // ourselves, then, and not copy it over.
3679                                Slog.e(TAG, "Agent crashed during full restore");
3680                                agentSuccess = false;
3681                                okay = false;
3682                            }
3683
3684                            // Copy over the data if the agent is still good
3685                            if (okay) {
3686                                boolean pipeOkay = true;
3687                                FileOutputStream pipe = new FileOutputStream(
3688                                        mPipes[1].getFileDescriptor());
3689                                while (toCopy > 0) {
3690                                    int toRead = (toCopy > buffer.length)
3691                                    ? buffer.length : (int)toCopy;
3692                                    int nRead = instream.read(buffer, 0, toRead);
3693                                    if (nRead >= 0) mBytes += nRead;
3694                                    if (nRead <= 0) break;
3695                                    toCopy -= nRead;
3696
3697                                    // send it to the output pipe as long as things
3698                                    // are still good
3699                                    if (pipeOkay) {
3700                                        try {
3701                                            pipe.write(buffer, 0, nRead);
3702                                        } catch (IOException e) {
3703                                            Slog.e(TAG, "Failed to write to restore pipe", e);
3704                                            pipeOkay = false;
3705                                        }
3706                                    }
3707                                }
3708
3709                                // done sending that file!  Now we just need to consume
3710                                // the delta from info.size to the end of block.
3711                                skipTarPadding(info.size, instream);
3712
3713                                // and now that we've sent it all, wait for the remote
3714                                // side to acknowledge receipt
3715                                agentSuccess = waitUntilOperationComplete(token);
3716                            }
3717
3718                            // okay, if the remote end failed at any point, deal with
3719                            // it by ignoring the rest of the restore on it
3720                            if (!agentSuccess) {
3721                                mBackupHandler.removeMessages(MSG_TIMEOUT);
3722                                tearDownPipes();
3723                                tearDownAgent(mTargetApp);
3724                                mAgent = null;
3725                                mPackagePolicies.put(pkg, RestorePolicy.IGNORE);
3726                            }
3727                        }
3728
3729                        // Problems setting up the agent communication, or an already-
3730                        // ignored package: skip to the next tar stream entry by
3731                        // reading and discarding this file.
3732                        if (!okay) {
3733                            if (DEBUG) Slog.d(TAG, "[discarding file content]");
3734                            long bytesToConsume = (info.size + 511) & ~511;
3735                            while (bytesToConsume > 0) {
3736                                int toRead = (bytesToConsume > buffer.length)
3737                                ? buffer.length : (int)bytesToConsume;
3738                                long nRead = instream.read(buffer, 0, toRead);
3739                                if (nRead >= 0) mBytes += nRead;
3740                                if (nRead <= 0) break;
3741                                bytesToConsume -= nRead;
3742                            }
3743                        }
3744                    }
3745                }
3746            } catch (IOException e) {
3747                if (DEBUG) Slog.w(TAG, "io exception on restore socket read", e);
3748                // treat as EOF
3749                info = null;
3750            }
3751
3752            return (info != null);
3753        }
3754
3755        void setUpPipes() throws IOException {
3756            mPipes = ParcelFileDescriptor.createPipe();
3757        }
3758
3759        void tearDownPipes() {
3760            if (mPipes != null) {
3761                try {
3762                    mPipes[0].close();
3763                    mPipes[0] = null;
3764                    mPipes[1].close();
3765                    mPipes[1] = null;
3766                } catch (IOException e) {
3767                    Slog.w(TAG, "Couldn't close agent pipes", e);
3768                }
3769                mPipes = null;
3770            }
3771        }
3772
3773        void tearDownAgent(ApplicationInfo app) {
3774            if (mAgent != null) {
3775                try {
3776                    // unbind and tidy up even on timeout or failure, just in case
3777                    mActivityManager.unbindBackupAgent(app);
3778
3779                    // The agent was running with a stub Application object, so shut it down.
3780                    // !!! We hardcode the confirmation UI's package name here rather than use a
3781                    //     manifest flag!  TODO something less direct.
3782                    if (app.uid != Process.SYSTEM_UID
3783                            && !app.packageName.equals("com.android.backupconfirm")) {
3784                        if (DEBUG) Slog.d(TAG, "Killing host process");
3785                        mActivityManager.killApplicationProcess(app.processName, app.uid);
3786                    } else {
3787                        if (DEBUG) Slog.d(TAG, "Not killing after full restore");
3788                    }
3789                } catch (RemoteException e) {
3790                    Slog.d(TAG, "Lost app trying to shut down");
3791                }
3792                mAgent = null;
3793            }
3794        }
3795
3796        class RestoreInstallObserver extends IPackageInstallObserver.Stub {
3797            final AtomicBoolean mDone = new AtomicBoolean();
3798            String mPackageName;
3799            int mResult;
3800
3801            public void reset() {
3802                synchronized (mDone) {
3803                    mDone.set(false);
3804                }
3805            }
3806
3807            public void waitForCompletion() {
3808                synchronized (mDone) {
3809                    while (mDone.get() == false) {
3810                        try {
3811                            mDone.wait();
3812                        } catch (InterruptedException e) { }
3813                    }
3814                }
3815            }
3816
3817            int getResult() {
3818                return mResult;
3819            }
3820
3821            @Override
3822            public void packageInstalled(String packageName, int returnCode)
3823                    throws RemoteException {
3824                synchronized (mDone) {
3825                    mResult = returnCode;
3826                    mPackageName = packageName;
3827                    mDone.set(true);
3828                    mDone.notifyAll();
3829                }
3830            }
3831        }
3832
3833        class RestoreDeleteObserver extends IPackageDeleteObserver.Stub {
3834            final AtomicBoolean mDone = new AtomicBoolean();
3835            int mResult;
3836
3837            public void reset() {
3838                synchronized (mDone) {
3839                    mDone.set(false);
3840                }
3841            }
3842
3843            public void waitForCompletion() {
3844                synchronized (mDone) {
3845                    while (mDone.get() == false) {
3846                        try {
3847                            mDone.wait();
3848                        } catch (InterruptedException e) { }
3849                    }
3850                }
3851            }
3852
3853            @Override
3854            public void packageDeleted(String packageName, int returnCode) throws RemoteException {
3855                synchronized (mDone) {
3856                    mResult = returnCode;
3857                    mDone.set(true);
3858                    mDone.notifyAll();
3859                }
3860            }
3861        }
3862
3863        final RestoreInstallObserver mInstallObserver = new RestoreInstallObserver();
3864        final RestoreDeleteObserver mDeleteObserver = new RestoreDeleteObserver();
3865
3866        boolean installApk(FileMetadata info, String installerPackage, InputStream instream) {
3867            boolean okay = true;
3868
3869            if (DEBUG) Slog.d(TAG, "Installing from backup: " + info.packageName);
3870
3871            // The file content is an .apk file.  Copy it out to a staging location and
3872            // attempt to install it.
3873            File apkFile = new File(mDataDir, info.packageName);
3874            try {
3875                FileOutputStream apkStream = new FileOutputStream(apkFile);
3876                byte[] buffer = new byte[32 * 1024];
3877                long size = info.size;
3878                while (size > 0) {
3879                    long toRead = (buffer.length < size) ? buffer.length : size;
3880                    int didRead = instream.read(buffer, 0, (int)toRead);
3881                    if (didRead >= 0) mBytes += didRead;
3882                    apkStream.write(buffer, 0, didRead);
3883                    size -= didRead;
3884                }
3885                apkStream.close();
3886
3887                // make sure the installer can read it
3888                apkFile.setReadable(true, false);
3889
3890                // Now install it
3891                Uri packageUri = Uri.fromFile(apkFile);
3892                mInstallObserver.reset();
3893                mPackageManager.installPackage(packageUri, mInstallObserver,
3894                        PackageManager.INSTALL_REPLACE_EXISTING | PackageManager.INSTALL_FROM_ADB,
3895                        installerPackage);
3896                mInstallObserver.waitForCompletion();
3897
3898                if (mInstallObserver.getResult() != PackageManager.INSTALL_SUCCEEDED) {
3899                    // The only time we continue to accept install of data even if the
3900                    // apk install failed is if we had already determined that we could
3901                    // accept the data regardless.
3902                    if (mPackagePolicies.get(info.packageName) != RestorePolicy.ACCEPT) {
3903                        okay = false;
3904                    }
3905                } else {
3906                    // Okay, the install succeeded.  Make sure it was the right app.
3907                    boolean uninstall = false;
3908                    if (!mInstallObserver.mPackageName.equals(info.packageName)) {
3909                        Slog.w(TAG, "Restore stream claimed to include apk for "
3910                                + info.packageName + " but apk was really "
3911                                + mInstallObserver.mPackageName);
3912                        // delete the package we just put in place; it might be fraudulent
3913                        okay = false;
3914                        uninstall = true;
3915                    } else {
3916                        try {
3917                            PackageInfo pkg = mPackageManager.getPackageInfo(info.packageName,
3918                                    PackageManager.GET_SIGNATURES);
3919                            if ((pkg.applicationInfo.flags & ApplicationInfo.FLAG_ALLOW_BACKUP) == 0) {
3920                                Slog.w(TAG, "Restore stream contains apk of package "
3921                                        + info.packageName + " but it disallows backup/restore");
3922                                okay = false;
3923                            } else {
3924                                // So far so good -- do the signatures match the manifest?
3925                                Signature[] sigs = mManifestSignatures.get(info.packageName);
3926                                if (signaturesMatch(sigs, pkg)) {
3927                                    // If this is a system-uid app without a declared backup agent,
3928                                    // don't restore any of the file data.
3929                                    if ((pkg.applicationInfo.uid < Process.FIRST_APPLICATION_UID)
3930                                            && (pkg.applicationInfo.backupAgentName == null)) {
3931                                        Slog.w(TAG, "Installed app " + info.packageName
3932                                                + " has restricted uid and no agent");
3933                                        okay = false;
3934                                    }
3935                                } else {
3936                                    Slog.w(TAG, "Installed app " + info.packageName
3937                                            + " signatures do not match restore manifest");
3938                                    okay = false;
3939                                    uninstall = true;
3940                                }
3941                            }
3942                        } catch (NameNotFoundException e) {
3943                            Slog.w(TAG, "Install of package " + info.packageName
3944                                    + " succeeded but now not found");
3945                            okay = false;
3946                        }
3947                    }
3948
3949                    // If we're not okay at this point, we need to delete the package
3950                    // that we just installed.
3951                    if (uninstall) {
3952                        mDeleteObserver.reset();
3953                        mPackageManager.deletePackage(mInstallObserver.mPackageName,
3954                                mDeleteObserver, 0);
3955                        mDeleteObserver.waitForCompletion();
3956                    }
3957                }
3958            } catch (IOException e) {
3959                Slog.e(TAG, "Unable to transcribe restored apk for install");
3960                okay = false;
3961            } finally {
3962                apkFile.delete();
3963            }
3964
3965            return okay;
3966        }
3967
3968        // Given an actual file content size, consume the post-content padding mandated
3969        // by the tar format.
3970        void skipTarPadding(long size, InputStream instream) throws IOException {
3971            long partial = (size + 512) % 512;
3972            if (partial > 0) {
3973                final int needed = 512 - (int)partial;
3974                byte[] buffer = new byte[needed];
3975                if (readExactly(instream, buffer, 0, needed) == needed) {
3976                    mBytes += needed;
3977                } else throw new IOException("Unexpected EOF in padding");
3978            }
3979        }
3980
3981        // Returns a policy constant; takes a buffer arg to reduce memory churn
3982        RestorePolicy readAppManifest(FileMetadata info, InputStream instream)
3983                throws IOException {
3984            // Fail on suspiciously large manifest files
3985            if (info.size > 64 * 1024) {
3986                throw new IOException("Restore manifest too big; corrupt? size=" + info.size);
3987            }
3988
3989            byte[] buffer = new byte[(int) info.size];
3990            if (readExactly(instream, buffer, 0, (int)info.size) == info.size) {
3991                mBytes += info.size;
3992            } else throw new IOException("Unexpected EOF in manifest");
3993
3994            RestorePolicy policy = RestorePolicy.IGNORE;
3995            String[] str = new String[1];
3996            int offset = 0;
3997
3998            try {
3999                offset = extractLine(buffer, offset, str);
4000                int version = Integer.parseInt(str[0]);
4001                if (version == BACKUP_MANIFEST_VERSION) {
4002                    offset = extractLine(buffer, offset, str);
4003                    String manifestPackage = str[0];
4004                    // TODO: handle <original-package>
4005                    if (manifestPackage.equals(info.packageName)) {
4006                        offset = extractLine(buffer, offset, str);
4007                        version = Integer.parseInt(str[0]);  // app version
4008                        offset = extractLine(buffer, offset, str);
4009                        int platformVersion = Integer.parseInt(str[0]);
4010                        offset = extractLine(buffer, offset, str);
4011                        info.installerPackageName = (str[0].length() > 0) ? str[0] : null;
4012                        offset = extractLine(buffer, offset, str);
4013                        boolean hasApk = str[0].equals("1");
4014                        offset = extractLine(buffer, offset, str);
4015                        int numSigs = Integer.parseInt(str[0]);
4016                        if (numSigs > 0) {
4017                            Signature[] sigs = new Signature[numSigs];
4018                            for (int i = 0; i < numSigs; i++) {
4019                                offset = extractLine(buffer, offset, str);
4020                                sigs[i] = new Signature(str[0]);
4021                            }
4022                            mManifestSignatures.put(info.packageName, sigs);
4023
4024                            // Okay, got the manifest info we need...
4025                            try {
4026                                PackageInfo pkgInfo = mPackageManager.getPackageInfo(
4027                                        info.packageName, PackageManager.GET_SIGNATURES);
4028                                // Fall through to IGNORE if the app explicitly disallows backup
4029                                final int flags = pkgInfo.applicationInfo.flags;
4030                                if ((flags & ApplicationInfo.FLAG_ALLOW_BACKUP) != 0) {
4031                                    // Restore system-uid-space packages only if they have
4032                                    // defined a custom backup agent
4033                                    if ((pkgInfo.applicationInfo.uid >= Process.FIRST_APPLICATION_UID)
4034                                            || (pkgInfo.applicationInfo.backupAgentName != null)) {
4035                                        // Verify signatures against any installed version; if they
4036                                        // don't match, then we fall though and ignore the data.  The
4037                                        // signatureMatch() method explicitly ignores the signature
4038                                        // check for packages installed on the system partition, because
4039                                        // such packages are signed with the platform cert instead of
4040                                        // the app developer's cert, so they're different on every
4041                                        // device.
4042                                        if (signaturesMatch(sigs, pkgInfo)) {
4043                                            if (pkgInfo.versionCode >= version) {
4044                                                Slog.i(TAG, "Sig + version match; taking data");
4045                                                policy = RestorePolicy.ACCEPT;
4046                                            } else {
4047                                                // The data is from a newer version of the app than
4048                                                // is presently installed.  That means we can only
4049                                                // use it if the matching apk is also supplied.
4050                                                Slog.d(TAG, "Data version " + version
4051                                                        + " is newer than installed version "
4052                                                        + pkgInfo.versionCode + " - requiring apk");
4053                                                policy = RestorePolicy.ACCEPT_IF_APK;
4054                                            }
4055                                        } else {
4056                                            Slog.w(TAG, "Restore manifest signatures do not match "
4057                                                    + "installed application for " + info.packageName);
4058                                        }
4059                                    } else {
4060                                        Slog.w(TAG, "Package " + info.packageName
4061                                                + " is system level with no agent");
4062                                    }
4063                                } else {
4064                                    if (DEBUG) Slog.i(TAG, "Restore manifest from "
4065                                            + info.packageName + " but allowBackup=false");
4066                                }
4067                            } catch (NameNotFoundException e) {
4068                                // Okay, the target app isn't installed.  We can process
4069                                // the restore properly only if the dataset provides the
4070                                // apk file and we can successfully install it.
4071                                if (DEBUG) Slog.i(TAG, "Package " + info.packageName
4072                                        + " not installed; requiring apk in dataset");
4073                                policy = RestorePolicy.ACCEPT_IF_APK;
4074                            }
4075
4076                            if (policy == RestorePolicy.ACCEPT_IF_APK && !hasApk) {
4077                                Slog.i(TAG, "Cannot restore package " + info.packageName
4078                                        + " without the matching .apk");
4079                            }
4080                        } else {
4081                            Slog.i(TAG, "Missing signature on backed-up package "
4082                                    + info.packageName);
4083                        }
4084                    } else {
4085                        Slog.i(TAG, "Expected package " + info.packageName
4086                                + " but restore manifest claims " + manifestPackage);
4087                    }
4088                } else {
4089                    Slog.i(TAG, "Unknown restore manifest version " + version
4090                            + " for package " + info.packageName);
4091                }
4092            } catch (NumberFormatException e) {
4093                Slog.w(TAG, "Corrupt restore manifest for package " + info.packageName);
4094            } catch (IllegalArgumentException e) {
4095                Slog.w(TAG, e.getMessage());
4096            }
4097
4098            return policy;
4099        }
4100
4101        // Builds a line from a byte buffer starting at 'offset', and returns
4102        // the index of the next unconsumed data in the buffer.
4103        int extractLine(byte[] buffer, int offset, String[] outStr) throws IOException {
4104            final int end = buffer.length;
4105            if (offset >= end) throw new IOException("Incomplete data");
4106
4107            int pos;
4108            for (pos = offset; pos < end; pos++) {
4109                byte c = buffer[pos];
4110                // at LF we declare end of line, and return the next char as the
4111                // starting point for the next time through
4112                if (c == '\n') {
4113                    break;
4114                }
4115            }
4116            outStr[0] = new String(buffer, offset, pos - offset);
4117            pos++;  // may be pointing an extra byte past the end but that's okay
4118            return pos;
4119        }
4120
4121        void dumpFileMetadata(FileMetadata info) {
4122            if (DEBUG) {
4123                StringBuilder b = new StringBuilder(128);
4124
4125                // mode string
4126                b.append((info.type == BackupAgent.TYPE_DIRECTORY) ? 'd' : '-');
4127                b.append(((info.mode & 0400) != 0) ? 'r' : '-');
4128                b.append(((info.mode & 0200) != 0) ? 'w' : '-');
4129                b.append(((info.mode & 0100) != 0) ? 'x' : '-');
4130                b.append(((info.mode & 0040) != 0) ? 'r' : '-');
4131                b.append(((info.mode & 0020) != 0) ? 'w' : '-');
4132                b.append(((info.mode & 0010) != 0) ? 'x' : '-');
4133                b.append(((info.mode & 0004) != 0) ? 'r' : '-');
4134                b.append(((info.mode & 0002) != 0) ? 'w' : '-');
4135                b.append(((info.mode & 0001) != 0) ? 'x' : '-');
4136                b.append(String.format(" %9d ", info.size));
4137
4138                Date stamp = new Date(info.mtime);
4139                b.append(new SimpleDateFormat("MMM dd HH:mm:ss ").format(stamp));
4140
4141                b.append(info.packageName);
4142                b.append(" :: ");
4143                b.append(info.domain);
4144                b.append(" :: ");
4145                b.append(info.path);
4146
4147                Slog.i(TAG, b.toString());
4148            }
4149        }
4150        // Consume a tar file header block [sequence] and accumulate the relevant metadata
4151        FileMetadata readTarHeaders(InputStream instream) throws IOException {
4152            byte[] block = new byte[512];
4153            FileMetadata info = null;
4154
4155            boolean gotHeader = readTarHeader(instream, block);
4156            if (gotHeader) {
4157                try {
4158                    // okay, presume we're okay, and extract the various metadata
4159                    info = new FileMetadata();
4160                    info.size = extractRadix(block, 124, 12, 8);
4161                    info.mtime = extractRadix(block, 136, 12, 8);
4162                    info.mode = extractRadix(block, 100, 8, 8);
4163
4164                    info.path = extractString(block, 345, 155); // prefix
4165                    String path = extractString(block, 0, 100);
4166                    if (path.length() > 0) {
4167                        if (info.path.length() > 0) info.path += '/';
4168                        info.path += path;
4169                    }
4170
4171                    // tar link indicator field: 1 byte at offset 156 in the header.
4172                    int typeChar = block[156];
4173                    if (typeChar == 'x') {
4174                        // pax extended header, so we need to read that
4175                        gotHeader = readPaxExtendedHeader(instream, info);
4176                        if (gotHeader) {
4177                            // and after a pax extended header comes another real header -- read
4178                            // that to find the real file type
4179                            gotHeader = readTarHeader(instream, block);
4180                        }
4181                        if (!gotHeader) throw new IOException("Bad or missing pax header");
4182
4183                        typeChar = block[156];
4184                    }
4185
4186                    switch (typeChar) {
4187                        case '0': info.type = BackupAgent.TYPE_FILE; break;
4188                        case '5': {
4189                            info.type = BackupAgent.TYPE_DIRECTORY;
4190                            if (info.size != 0) {
4191                                Slog.w(TAG, "Directory entry with nonzero size in header");
4192                                info.size = 0;
4193                            }
4194                            break;
4195                        }
4196                        case 0: {
4197                            // presume EOF
4198                            if (DEBUG) Slog.w(TAG, "Saw type=0 in tar header block, info=" + info);
4199                            return null;
4200                        }
4201                        default: {
4202                            Slog.e(TAG, "Unknown tar entity type: " + typeChar);
4203                            throw new IOException("Unknown entity type " + typeChar);
4204                        }
4205                    }
4206
4207                    // Parse out the path
4208                    //
4209                    // first: apps/shared/unrecognized
4210                    if (FullBackup.SHARED_PREFIX.regionMatches(0,
4211                            info.path, 0, FullBackup.SHARED_PREFIX.length())) {
4212                        // File in shared storage.  !!! TODO: implement this.
4213                        info.path = info.path.substring(FullBackup.SHARED_PREFIX.length());
4214                        info.packageName = SHARED_BACKUP_AGENT_PACKAGE;
4215                        info.domain = FullBackup.SHARED_STORAGE_TOKEN;
4216                        if (DEBUG) Slog.i(TAG, "File in shared storage: " + info.path);
4217                    } else if (FullBackup.APPS_PREFIX.regionMatches(0,
4218                            info.path, 0, FullBackup.APPS_PREFIX.length())) {
4219                        // App content!  Parse out the package name and domain
4220
4221                        // strip the apps/ prefix
4222                        info.path = info.path.substring(FullBackup.APPS_PREFIX.length());
4223
4224                        // extract the package name
4225                        int slash = info.path.indexOf('/');
4226                        if (slash < 0) throw new IOException("Illegal semantic path in " + info.path);
4227                        info.packageName = info.path.substring(0, slash);
4228                        info.path = info.path.substring(slash+1);
4229
4230                        // if it's a manifest we're done, otherwise parse out the domains
4231                        if (!info.path.equals(BACKUP_MANIFEST_FILENAME)) {
4232                            slash = info.path.indexOf('/');
4233                            if (slash < 0) throw new IOException("Illegal semantic path in non-manifest " + info.path);
4234                            info.domain = info.path.substring(0, slash);
4235                            info.path = info.path.substring(slash + 1);
4236                        }
4237                    }
4238                } catch (IOException e) {
4239                    if (DEBUG) {
4240                        Slog.e(TAG, "Parse error in header: " + e.getMessage());
4241                        HEXLOG(block);
4242                    }
4243                    throw e;
4244                }
4245            }
4246            return info;
4247        }
4248
4249        private void HEXLOG(byte[] block) {
4250            int offset = 0;
4251            int todo = block.length;
4252            StringBuilder buf = new StringBuilder(64);
4253            while (todo > 0) {
4254                buf.append(String.format("%04x   ", offset));
4255                int numThisLine = (todo > 16) ? 16 : todo;
4256                for (int i = 0; i < numThisLine; i++) {
4257                    buf.append(String.format("%02x ", block[offset+i]));
4258                }
4259                Slog.i("hexdump", buf.toString());
4260                buf.setLength(0);
4261                todo -= numThisLine;
4262                offset += numThisLine;
4263            }
4264        }
4265
4266        // Read exactly the given number of bytes into a buffer at the stated offset.
4267        // Returns false if EOF is encountered before the requested number of bytes
4268        // could be read.
4269        int readExactly(InputStream in, byte[] buffer, int offset, int size)
4270                throws IOException {
4271            if (size <= 0) throw new IllegalArgumentException("size must be > 0");
4272
4273            int soFar = 0;
4274            while (soFar < size) {
4275                int nRead = in.read(buffer, offset + soFar, size - soFar);
4276                if (nRead <= 0) {
4277                    if (MORE_DEBUG) Slog.w(TAG, "- wanted exactly " + size + " but got only " + soFar);
4278                    break;
4279                }
4280                soFar += nRead;
4281            }
4282            return soFar;
4283        }
4284
4285        boolean readTarHeader(InputStream instream, byte[] block) throws IOException {
4286            final int got = readExactly(instream, block, 0, 512);
4287            if (got == 0) return false;     // Clean EOF
4288            if (got < 512) throw new IOException("Unable to read full block header");
4289            mBytes += 512;
4290            return true;
4291        }
4292
4293        // overwrites 'info' fields based on the pax extended header
4294        boolean readPaxExtendedHeader(InputStream instream, FileMetadata info)
4295                throws IOException {
4296            // We should never see a pax extended header larger than this
4297            if (info.size > 32*1024) {
4298                Slog.w(TAG, "Suspiciously large pax header size " + info.size
4299                        + " - aborting");
4300                throw new IOException("Sanity failure: pax header size " + info.size);
4301            }
4302
4303            // read whole blocks, not just the content size
4304            int numBlocks = (int)((info.size + 511) >> 9);
4305            byte[] data = new byte[numBlocks * 512];
4306            if (readExactly(instream, data, 0, data.length) < data.length) {
4307                throw new IOException("Unable to read full pax header");
4308            }
4309            mBytes += data.length;
4310
4311            final int contentSize = (int) info.size;
4312            int offset = 0;
4313            do {
4314                // extract the line at 'offset'
4315                int eol = offset+1;
4316                while (eol < contentSize && data[eol] != ' ') eol++;
4317                if (eol >= contentSize) {
4318                    // error: we just hit EOD looking for the end of the size field
4319                    throw new IOException("Invalid pax data");
4320                }
4321                // eol points to the space between the count and the key
4322                int linelen = (int) extractRadix(data, offset, eol - offset, 10);
4323                int key = eol + 1;  // start of key=value
4324                eol = offset + linelen - 1; // trailing LF
4325                int value;
4326                for (value = key+1; data[value] != '=' && value <= eol; value++);
4327                if (value > eol) {
4328                    throw new IOException("Invalid pax declaration");
4329                }
4330
4331                // pax requires that key/value strings be in UTF-8
4332                String keyStr = new String(data, key, value-key, "UTF-8");
4333                // -1 to strip the trailing LF
4334                String valStr = new String(data, value+1, eol-value-1, "UTF-8");
4335
4336                if ("path".equals(keyStr)) {
4337                    info.path = valStr;
4338                } else if ("size".equals(keyStr)) {
4339                    info.size = Long.parseLong(valStr);
4340                } else {
4341                    if (DEBUG) Slog.i(TAG, "Unhandled pax key: " + key);
4342                }
4343
4344                offset += linelen;
4345            } while (offset < contentSize);
4346
4347            return true;
4348        }
4349
4350        long extractRadix(byte[] data, int offset, int maxChars, int radix)
4351                throws IOException {
4352            long value = 0;
4353            final int end = offset + maxChars;
4354            for (int i = offset; i < end; i++) {
4355                final byte b = data[i];
4356                // Numeric fields in tar can terminate with either NUL or SPC
4357                if (b == 0 || b == ' ') break;
4358                if (b < '0' || b > ('0' + radix - 1)) {
4359                    throw new IOException("Invalid number in header: '" + (char)b + "' for radix " + radix);
4360                }
4361                value = radix * value + (b - '0');
4362            }
4363            return value;
4364        }
4365
4366        String extractString(byte[] data, int offset, int maxChars) throws IOException {
4367            final int end = offset + maxChars;
4368            int eos = offset;
4369            // tar string fields terminate early with a NUL
4370            while (eos < end && data[eos] != 0) eos++;
4371            return new String(data, offset, eos-offset, "US-ASCII");
4372        }
4373
4374        void sendStartRestore() {
4375            if (mObserver != null) {
4376                try {
4377                    mObserver.onStartRestore();
4378                } catch (RemoteException e) {
4379                    Slog.w(TAG, "full restore observer went away: startRestore");
4380                    mObserver = null;
4381                }
4382            }
4383        }
4384
4385        void sendOnRestorePackage(String name) {
4386            if (mObserver != null) {
4387                try {
4388                    // TODO: use a more user-friendly name string
4389                    mObserver.onRestorePackage(name);
4390                } catch (RemoteException e) {
4391                    Slog.w(TAG, "full restore observer went away: restorePackage");
4392                    mObserver = null;
4393                }
4394            }
4395        }
4396
4397        void sendEndRestore() {
4398            if (mObserver != null) {
4399                try {
4400                    mObserver.onEndRestore();
4401                } catch (RemoteException e) {
4402                    Slog.w(TAG, "full restore observer went away: endRestore");
4403                    mObserver = null;
4404                }
4405            }
4406        }
4407    }
4408
4409    // ----- Restore handling -----
4410
4411    private boolean signaturesMatch(Signature[] storedSigs, PackageInfo target) {
4412        // If the target resides on the system partition, we allow it to restore
4413        // data from the like-named package in a restore set even if the signatures
4414        // do not match.  (Unlike general applications, those flashed to the system
4415        // partition will be signed with the device's platform certificate, so on
4416        // different phones the same system app will have different signatures.)
4417        if ((target.applicationInfo.flags & ApplicationInfo.FLAG_SYSTEM) != 0) {
4418            if (DEBUG) Slog.v(TAG, "System app " + target.packageName + " - skipping sig check");
4419            return true;
4420        }
4421
4422        // Allow unsigned apps, but not signed on one device and unsigned on the other
4423        // !!! TODO: is this the right policy?
4424        Signature[] deviceSigs = target.signatures;
4425        if (MORE_DEBUG) Slog.v(TAG, "signaturesMatch(): stored=" + storedSigs
4426                + " device=" + deviceSigs);
4427        if ((storedSigs == null || storedSigs.length == 0)
4428                && (deviceSigs == null || deviceSigs.length == 0)) {
4429            return true;
4430        }
4431        if (storedSigs == null || deviceSigs == null) {
4432            return false;
4433        }
4434
4435        // !!! TODO: this demands that every stored signature match one
4436        // that is present on device, and does not demand the converse.
4437        // Is this this right policy?
4438        int nStored = storedSigs.length;
4439        int nDevice = deviceSigs.length;
4440
4441        for (int i=0; i < nStored; i++) {
4442            boolean match = false;
4443            for (int j=0; j < nDevice; j++) {
4444                if (storedSigs[i].equals(deviceSigs[j])) {
4445                    match = true;
4446                    break;
4447                }
4448            }
4449            if (!match) {
4450                return false;
4451            }
4452        }
4453        return true;
4454    }
4455
4456    enum RestoreState {
4457        INITIAL,
4458        DOWNLOAD_DATA,
4459        PM_METADATA,
4460        RUNNING_QUEUE,
4461        FINAL
4462    }
4463
4464    class PerformRestoreTask implements BackupRestoreTask {
4465        private IBackupTransport mTransport;
4466        private IRestoreObserver mObserver;
4467        private long mToken;
4468        private PackageInfo mTargetPackage;
4469        private File mStateDir;
4470        private int mPmToken;
4471        private boolean mNeedFullBackup;
4472        private HashSet<String> mFilterSet;
4473        private long mStartRealtime;
4474        private PackageManagerBackupAgent mPmAgent;
4475        private List<PackageInfo> mAgentPackages;
4476        private ArrayList<PackageInfo> mRestorePackages;
4477        private RestoreState mCurrentState;
4478        private int mCount;
4479        private boolean mFinished;
4480        private int mStatus;
4481        private File mBackupDataName;
4482        private File mNewStateName;
4483        private File mSavedStateName;
4484        private ParcelFileDescriptor mBackupData;
4485        private ParcelFileDescriptor mNewState;
4486        private PackageInfo mCurrentPackage;
4487
4488
4489        class RestoreRequest {
4490            public PackageInfo app;
4491            public int storedAppVersion;
4492
4493            RestoreRequest(PackageInfo _app, int _version) {
4494                app = _app;
4495                storedAppVersion = _version;
4496            }
4497        }
4498
4499        PerformRestoreTask(IBackupTransport transport, String dirName, IRestoreObserver observer,
4500                long restoreSetToken, PackageInfo targetPackage, int pmToken,
4501                boolean needFullBackup, String[] filterSet) {
4502            mCurrentState = RestoreState.INITIAL;
4503            mFinished = false;
4504            mPmAgent = null;
4505
4506            mTransport = transport;
4507            mObserver = observer;
4508            mToken = restoreSetToken;
4509            mTargetPackage = targetPackage;
4510            mPmToken = pmToken;
4511            mNeedFullBackup = needFullBackup;
4512
4513            if (filterSet != null) {
4514                mFilterSet = new HashSet<String>();
4515                for (String pkg : filterSet) {
4516                    mFilterSet.add(pkg);
4517                }
4518            } else {
4519                mFilterSet = null;
4520            }
4521
4522            mStateDir = new File(mBaseStateDir, dirName);
4523        }
4524
4525        // Execute one tick of whatever state machine the task implements
4526        @Override
4527        public void execute() {
4528            if (MORE_DEBUG) Slog.v(TAG, "*** Executing restore step: " + mCurrentState);
4529            switch (mCurrentState) {
4530                case INITIAL:
4531                    beginRestore();
4532                    break;
4533
4534                case DOWNLOAD_DATA:
4535                    downloadRestoreData();
4536                    break;
4537
4538                case PM_METADATA:
4539                    restorePmMetadata();
4540                    break;
4541
4542                case RUNNING_QUEUE:
4543                    restoreNextAgent();
4544                    break;
4545
4546                case FINAL:
4547                    if (!mFinished) finalizeRestore();
4548                    else {
4549                        Slog.e(TAG, "Duplicate finish");
4550                    }
4551                    mFinished = true;
4552                    break;
4553            }
4554        }
4555
4556        // Initialize and set up for the PM metadata restore, which comes first
4557        void beginRestore() {
4558            // Don't account time doing the restore as inactivity of the app
4559            // that has opened a restore session.
4560            mBackupHandler.removeMessages(MSG_RESTORE_TIMEOUT);
4561
4562            // Assume error until we successfully init everything
4563            mStatus = BackupConstants.TRANSPORT_ERROR;
4564
4565            try {
4566                // TODO: Log this before getAvailableRestoreSets, somehow
4567                EventLog.writeEvent(EventLogTags.RESTORE_START, mTransport.transportDirName(), mToken);
4568
4569                // Get the list of all packages which have backup enabled.
4570                // (Include the Package Manager metadata pseudo-package first.)
4571                mRestorePackages = new ArrayList<PackageInfo>();
4572                PackageInfo omPackage = new PackageInfo();
4573                omPackage.packageName = PACKAGE_MANAGER_SENTINEL;
4574                mRestorePackages.add(omPackage);
4575
4576                mAgentPackages = allAgentPackages();
4577                if (mTargetPackage == null) {
4578                    // if there's a filter set, strip out anything that isn't
4579                    // present before proceeding
4580                    if (mFilterSet != null) {
4581                        for (int i = mAgentPackages.size() - 1; i >= 0; i--) {
4582                            final PackageInfo pkg = mAgentPackages.get(i);
4583                            if (! mFilterSet.contains(pkg.packageName)) {
4584                                mAgentPackages.remove(i);
4585                            }
4586                        }
4587                        if (MORE_DEBUG) {
4588                            Slog.i(TAG, "Post-filter package set for restore:");
4589                            for (PackageInfo p : mAgentPackages) {
4590                                Slog.i(TAG, "    " + p);
4591                            }
4592                        }
4593                    }
4594                    mRestorePackages.addAll(mAgentPackages);
4595                } else {
4596                    // Just one package to attempt restore of
4597                    mRestorePackages.add(mTargetPackage);
4598                }
4599
4600                // let the observer know that we're running
4601                if (mObserver != null) {
4602                    try {
4603                        // !!! TODO: get an actual count from the transport after
4604                        // its startRestore() runs?
4605                        mObserver.restoreStarting(mRestorePackages.size());
4606                    } catch (RemoteException e) {
4607                        Slog.d(TAG, "Restore observer died at restoreStarting");
4608                        mObserver = null;
4609                    }
4610                }
4611            } catch (RemoteException e) {
4612                // Something has gone catastrophically wrong with the transport
4613                Slog.e(TAG, "Error communicating with transport for restore");
4614                executeNextState(RestoreState.FINAL);
4615                return;
4616            }
4617
4618            mStatus = BackupConstants.TRANSPORT_OK;
4619            executeNextState(RestoreState.DOWNLOAD_DATA);
4620        }
4621
4622        void downloadRestoreData() {
4623            // Note that the download phase can be very time consuming, but we're executing
4624            // it inline here on the looper.  This is "okay" because it is not calling out to
4625            // third party code; the transport is "trusted," and so we assume it is being a
4626            // good citizen and timing out etc when appropriate.
4627            //
4628            // TODO: when appropriate, move the download off the looper and rearrange the
4629            //       error handling around that.
4630            try {
4631                mStatus = mTransport.startRestore(mToken,
4632                        mRestorePackages.toArray(new PackageInfo[0]));
4633                if (mStatus != BackupConstants.TRANSPORT_OK) {
4634                    Slog.e(TAG, "Error starting restore operation");
4635                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
4636                    executeNextState(RestoreState.FINAL);
4637                    return;
4638                }
4639            } catch (RemoteException e) {
4640                Slog.e(TAG, "Error communicating with transport for restore");
4641                EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
4642                mStatus = BackupConstants.TRANSPORT_ERROR;
4643                executeNextState(RestoreState.FINAL);
4644                return;
4645            }
4646
4647            // Successful download of the data to be parceled out to the apps, so off we go.
4648            executeNextState(RestoreState.PM_METADATA);
4649        }
4650
4651        void restorePmMetadata() {
4652            try {
4653                String packageName = mTransport.nextRestorePackage();
4654                if (packageName == null) {
4655                    Slog.e(TAG, "Error getting first restore package");
4656                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
4657                    mStatus = BackupConstants.TRANSPORT_ERROR;
4658                    executeNextState(RestoreState.FINAL);
4659                    return;
4660                } else if (packageName.equals("")) {
4661                    Slog.i(TAG, "No restore data available");
4662                    int millis = (int) (SystemClock.elapsedRealtime() - mStartRealtime);
4663                    EventLog.writeEvent(EventLogTags.RESTORE_SUCCESS, 0, millis);
4664                    mStatus = BackupConstants.TRANSPORT_OK;
4665                    executeNextState(RestoreState.FINAL);
4666                    return;
4667                } else if (!packageName.equals(PACKAGE_MANAGER_SENTINEL)) {
4668                    Slog.e(TAG, "Expected restore data for \"" + PACKAGE_MANAGER_SENTINEL
4669                            + "\", found only \"" + packageName + "\"");
4670                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, PACKAGE_MANAGER_SENTINEL,
4671                            "Package manager data missing");
4672                    executeNextState(RestoreState.FINAL);
4673                    return;
4674                }
4675
4676                // Pull the Package Manager metadata from the restore set first
4677                PackageInfo omPackage = new PackageInfo();
4678                omPackage.packageName = PACKAGE_MANAGER_SENTINEL;
4679                mPmAgent = new PackageManagerBackupAgent(
4680                        mPackageManager, mAgentPackages);
4681                initiateOneRestore(omPackage, 0, IBackupAgent.Stub.asInterface(mPmAgent.onBind()),
4682                        mNeedFullBackup);
4683                // The PM agent called operationComplete() already, because our invocation
4684                // of it is process-local and therefore synchronous.  That means that a
4685                // RUNNING_QUEUE message is already enqueued.  Only if we're unable to
4686                // proceed with running the queue do we remove that pending message and
4687                // jump straight to the FINAL state.
4688
4689                // Verify that the backup set includes metadata.  If not, we can't do
4690                // signature/version verification etc, so we simply do not proceed with
4691                // the restore operation.
4692                if (!mPmAgent.hasMetadata()) {
4693                    Slog.e(TAG, "No restore metadata available, so not restoring settings");
4694                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, PACKAGE_MANAGER_SENTINEL,
4695                    "Package manager restore metadata missing");
4696                    mStatus = BackupConstants.TRANSPORT_ERROR;
4697                    mBackupHandler.removeMessages(MSG_BACKUP_RESTORE_STEP, this);
4698                    executeNextState(RestoreState.FINAL);
4699                    return;
4700                }
4701            } catch (RemoteException e) {
4702                Slog.e(TAG, "Error communicating with transport for restore");
4703                EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
4704                mStatus = BackupConstants.TRANSPORT_ERROR;
4705                mBackupHandler.removeMessages(MSG_BACKUP_RESTORE_STEP, this);
4706                executeNextState(RestoreState.FINAL);
4707                return;
4708            }
4709
4710            // Metadata is intact, so we can now run the restore queue.  If we get here,
4711            // we have already enqueued the necessary next-step message on the looper.
4712        }
4713
4714        void restoreNextAgent() {
4715            try {
4716                String packageName = mTransport.nextRestorePackage();
4717
4718                if (packageName == null) {
4719                    Slog.e(TAG, "Error getting next restore package");
4720                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
4721                    executeNextState(RestoreState.FINAL);
4722                    return;
4723                } else if (packageName.equals("")) {
4724                    if (DEBUG) Slog.v(TAG, "No next package, finishing restore");
4725                    int millis = (int) (SystemClock.elapsedRealtime() - mStartRealtime);
4726                    EventLog.writeEvent(EventLogTags.RESTORE_SUCCESS, mCount, millis);
4727                    executeNextState(RestoreState.FINAL);
4728                    return;
4729                }
4730
4731                if (mObserver != null) {
4732                    try {
4733                        mObserver.onUpdate(mCount, packageName);
4734                    } catch (RemoteException e) {
4735                        Slog.d(TAG, "Restore observer died in onUpdate");
4736                        mObserver = null;
4737                    }
4738                }
4739
4740                Metadata metaInfo = mPmAgent.getRestoredMetadata(packageName);
4741                if (metaInfo == null) {
4742                    Slog.e(TAG, "Missing metadata for " + packageName);
4743                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
4744                            "Package metadata missing");
4745                    executeNextState(RestoreState.RUNNING_QUEUE);
4746                    return;
4747                }
4748
4749                PackageInfo packageInfo;
4750                try {
4751                    int flags = PackageManager.GET_SIGNATURES;
4752                    packageInfo = mPackageManager.getPackageInfo(packageName, flags);
4753                } catch (NameNotFoundException e) {
4754                    Slog.e(TAG, "Invalid package restoring data", e);
4755                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
4756                            "Package missing on device");
4757                    executeNextState(RestoreState.RUNNING_QUEUE);
4758                    return;
4759                }
4760
4761                if (packageInfo.applicationInfo.backupAgentName == null
4762                        || "".equals(packageInfo.applicationInfo.backupAgentName)) {
4763                    if (DEBUG) {
4764                        Slog.i(TAG, "Data exists for package " + packageName
4765                                + " but app has no agent; skipping");
4766                    }
4767                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
4768                            "Package has no agent");
4769                    executeNextState(RestoreState.RUNNING_QUEUE);
4770                    return;
4771                }
4772
4773                if (metaInfo.versionCode > packageInfo.versionCode) {
4774                    // Data is from a "newer" version of the app than we have currently
4775                    // installed.  If the app has not declared that it is prepared to
4776                    // handle this case, we do not attempt the restore.
4777                    if ((packageInfo.applicationInfo.flags
4778                            & ApplicationInfo.FLAG_RESTORE_ANY_VERSION) == 0) {
4779                        String message = "Version " + metaInfo.versionCode
4780                        + " > installed version " + packageInfo.versionCode;
4781                        Slog.w(TAG, "Package " + packageName + ": " + message);
4782                        EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
4783                                packageName, message);
4784                        executeNextState(RestoreState.RUNNING_QUEUE);
4785                        return;
4786                    } else {
4787                        if (DEBUG) Slog.v(TAG, "Version " + metaInfo.versionCode
4788                                + " > installed " + packageInfo.versionCode
4789                                + " but restoreAnyVersion");
4790                    }
4791                }
4792
4793                if (!signaturesMatch(metaInfo.signatures, packageInfo)) {
4794                    Slog.w(TAG, "Signature mismatch restoring " + packageName);
4795                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
4796                            "Signature mismatch");
4797                    executeNextState(RestoreState.RUNNING_QUEUE);
4798                    return;
4799                }
4800
4801                if (DEBUG) Slog.v(TAG, "Package " + packageName
4802                        + " restore version [" + metaInfo.versionCode
4803                        + "] is compatible with installed version ["
4804                        + packageInfo.versionCode + "]");
4805
4806                // Then set up and bind the agent
4807                IBackupAgent agent = bindToAgentSynchronous(
4808                        packageInfo.applicationInfo,
4809                        IApplicationThread.BACKUP_MODE_INCREMENTAL);
4810                if (agent == null) {
4811                    Slog.w(TAG, "Can't find backup agent for " + packageName);
4812                    EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName,
4813                            "Restore agent missing");
4814                    executeNextState(RestoreState.RUNNING_QUEUE);
4815                    return;
4816                }
4817
4818                // And then finally start the restore on this agent
4819                try {
4820                    initiateOneRestore(packageInfo, metaInfo.versionCode, agent, mNeedFullBackup);
4821                    ++mCount;
4822                } catch (Exception e) {
4823                    Slog.e(TAG, "Error when attempting restore: " + e.toString());
4824                    agentErrorCleanup();
4825                    executeNextState(RestoreState.RUNNING_QUEUE);
4826                }
4827            } catch (RemoteException e) {
4828                Slog.e(TAG, "Unable to fetch restore data from transport");
4829                mStatus = BackupConstants.TRANSPORT_ERROR;
4830                executeNextState(RestoreState.FINAL);
4831            }
4832        }
4833
4834        void finalizeRestore() {
4835            if (MORE_DEBUG) Slog.d(TAG, "finishing restore mObserver=" + mObserver);
4836
4837            try {
4838                mTransport.finishRestore();
4839            } catch (RemoteException e) {
4840                Slog.e(TAG, "Error finishing restore", e);
4841            }
4842
4843            if (mObserver != null) {
4844                try {
4845                    mObserver.restoreFinished(mStatus);
4846                } catch (RemoteException e) {
4847                    Slog.d(TAG, "Restore observer died at restoreFinished");
4848                }
4849            }
4850
4851            // If this was a restoreAll operation, record that this was our
4852            // ancestral dataset, as well as the set of apps that are possibly
4853            // restoreable from the dataset
4854            if (mTargetPackage == null && mPmAgent != null) {
4855                mAncestralPackages = mPmAgent.getRestoredPackages();
4856                mAncestralToken = mToken;
4857                writeRestoreTokens();
4858            }
4859
4860            // We must under all circumstances tell the Package Manager to
4861            // proceed with install notifications if it's waiting for us.
4862            if (mPmToken > 0) {
4863                if (MORE_DEBUG) Slog.v(TAG, "finishing PM token " + mPmToken);
4864                try {
4865                    mPackageManagerBinder.finishPackageInstall(mPmToken);
4866                } catch (RemoteException e) { /* can't happen */ }
4867            }
4868
4869            // Furthermore we need to reset the session timeout clock
4870            mBackupHandler.removeMessages(MSG_RESTORE_TIMEOUT);
4871            mBackupHandler.sendEmptyMessageDelayed(MSG_RESTORE_TIMEOUT,
4872                    TIMEOUT_RESTORE_INTERVAL);
4873
4874            // done; we can finally release the wakelock
4875            Slog.i(TAG, "Restore complete.");
4876            mWakelock.release();
4877        }
4878
4879        // Call asynchronously into the app, passing it the restore data.  The next step
4880        // after this is always a callback, either operationComplete() or handleTimeout().
4881        void initiateOneRestore(PackageInfo app, int appVersionCode, IBackupAgent agent,
4882                boolean needFullBackup) {
4883            mCurrentPackage = app;
4884            final String packageName = app.packageName;
4885
4886            if (DEBUG) Slog.d(TAG, "initiateOneRestore packageName=" + packageName);
4887
4888            // !!! TODO: get the dirs from the transport
4889            mBackupDataName = new File(mDataDir, packageName + ".restore");
4890            mNewStateName = new File(mStateDir, packageName + ".new");
4891            mSavedStateName = new File(mStateDir, packageName);
4892
4893            final int token = generateToken();
4894            try {
4895                // Run the transport's restore pass
4896                mBackupData = ParcelFileDescriptor.open(mBackupDataName,
4897                            ParcelFileDescriptor.MODE_READ_WRITE |
4898                            ParcelFileDescriptor.MODE_CREATE |
4899                            ParcelFileDescriptor.MODE_TRUNCATE);
4900
4901                if (!SELinux.restorecon(mBackupDataName)) {
4902                    Slog.e(TAG, "SElinux restorecon failed for " + mBackupDataName);
4903                }
4904
4905                if (mTransport.getRestoreData(mBackupData) != BackupConstants.TRANSPORT_OK) {
4906                    // Transport-level failure, so we wind everything up and
4907                    // terminate the restore operation.
4908                    Slog.e(TAG, "Error getting restore data for " + packageName);
4909                    EventLog.writeEvent(EventLogTags.RESTORE_TRANSPORT_FAILURE);
4910                    mBackupData.close();
4911                    mBackupDataName.delete();
4912                    executeNextState(RestoreState.FINAL);
4913                    return;
4914                }
4915
4916                // Okay, we have the data.  Now have the agent do the restore.
4917                mBackupData.close();
4918                mBackupData = ParcelFileDescriptor.open(mBackupDataName,
4919                            ParcelFileDescriptor.MODE_READ_ONLY);
4920
4921                mNewState = ParcelFileDescriptor.open(mNewStateName,
4922                            ParcelFileDescriptor.MODE_READ_WRITE |
4923                            ParcelFileDescriptor.MODE_CREATE |
4924                            ParcelFileDescriptor.MODE_TRUNCATE);
4925
4926                // Kick off the restore, checking for hung agents
4927                prepareOperationTimeout(token, TIMEOUT_RESTORE_INTERVAL, this);
4928                agent.doRestore(mBackupData, appVersionCode, mNewState, token, mBackupManagerBinder);
4929            } catch (Exception e) {
4930                Slog.e(TAG, "Unable to call app for restore: " + packageName, e);
4931                EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE, packageName, e.toString());
4932                agentErrorCleanup();    // clears any pending timeout messages as well
4933
4934                // After a restore failure we go back to running the queue.  If there
4935                // are no more packages to be restored that will be handled by the
4936                // next step.
4937                executeNextState(RestoreState.RUNNING_QUEUE);
4938            }
4939        }
4940
4941        void agentErrorCleanup() {
4942            // If the agent fails restore, it might have put the app's data
4943            // into an incoherent state.  For consistency we wipe its data
4944            // again in this case before continuing with normal teardown
4945            clearApplicationDataSynchronous(mCurrentPackage.packageName);
4946            agentCleanup();
4947        }
4948
4949        void agentCleanup() {
4950            mBackupDataName.delete();
4951            try { if (mBackupData != null) mBackupData.close(); } catch (IOException e) {}
4952            try { if (mNewState != null) mNewState.close(); } catch (IOException e) {}
4953            mBackupData = mNewState = null;
4954
4955            // if everything went okay, remember the recorded state now
4956            //
4957            // !!! TODO: the restored data should be migrated on the server
4958            // side into the current dataset.  In that case the new state file
4959            // we just created would reflect the data already extant in the
4960            // backend, so there'd be nothing more to do.  Until that happens,
4961            // however, we need to make sure that we record the data to the
4962            // current backend dataset.  (Yes, this means shipping the data over
4963            // the wire in both directions.  That's bad, but consistency comes
4964            // first, then efficiency.)  Once we introduce server-side data
4965            // migration to the newly-restored device's dataset, we will change
4966            // the following from a discard of the newly-written state to the
4967            // "correct" operation of renaming into the canonical state blob.
4968            mNewStateName.delete();                      // TODO: remove; see above comment
4969            //mNewStateName.renameTo(mSavedStateName);   // TODO: replace with this
4970
4971            // If this wasn't the PM pseudopackage, tear down the agent side
4972            if (mCurrentPackage.applicationInfo != null) {
4973                // unbind and tidy up even on timeout or failure
4974                try {
4975                    mActivityManager.unbindBackupAgent(mCurrentPackage.applicationInfo);
4976
4977                    // The agent was probably running with a stub Application object,
4978                    // which isn't a valid run mode for the main app logic.  Shut
4979                    // down the app so that next time it's launched, it gets the
4980                    // usual full initialization.  Note that this is only done for
4981                    // full-system restores: when a single app has requested a restore,
4982                    // it is explicitly not killed following that operation.
4983                    if (mTargetPackage == null && (mCurrentPackage.applicationInfo.flags
4984                            & ApplicationInfo.FLAG_KILL_AFTER_RESTORE) != 0) {
4985                        if (DEBUG) Slog.d(TAG, "Restore complete, killing host process of "
4986                                + mCurrentPackage.applicationInfo.processName);
4987                        mActivityManager.killApplicationProcess(
4988                                mCurrentPackage.applicationInfo.processName,
4989                                mCurrentPackage.applicationInfo.uid);
4990                    }
4991                } catch (RemoteException e) {
4992                    // can't happen; we run in the same process as the activity manager
4993                }
4994            }
4995
4996            // The caller is responsible for reestablishing the state machine; our
4997            // responsibility here is to clear the decks for whatever comes next.
4998            mBackupHandler.removeMessages(MSG_TIMEOUT, this);
4999            synchronized (mCurrentOpLock) {
5000                mCurrentOperations.clear();
5001            }
5002        }
5003
5004        // A call to agent.doRestore() has been positively acknowledged as complete
5005        @Override
5006        public void operationComplete() {
5007            int size = (int) mBackupDataName.length();
5008            EventLog.writeEvent(EventLogTags.RESTORE_PACKAGE, mCurrentPackage.packageName, size);
5009            // Just go back to running the restore queue
5010            agentCleanup();
5011
5012            executeNextState(RestoreState.RUNNING_QUEUE);
5013        }
5014
5015        // A call to agent.doRestore() has timed out
5016        @Override
5017        public void handleTimeout() {
5018            Slog.e(TAG, "Timeout restoring application " + mCurrentPackage.packageName);
5019            EventLog.writeEvent(EventLogTags.RESTORE_AGENT_FAILURE,
5020                    mCurrentPackage.packageName, "restore timeout");
5021            // Handle like an agent that threw on invocation: wipe it and go on to the next
5022            agentErrorCleanup();
5023            executeNextState(RestoreState.RUNNING_QUEUE);
5024        }
5025
5026        void executeNextState(RestoreState nextState) {
5027            if (MORE_DEBUG) Slog.i(TAG, " => executing next step on "
5028                    + this + " nextState=" + nextState);
5029            mCurrentState = nextState;
5030            Message msg = mBackupHandler.obtainMessage(MSG_BACKUP_RESTORE_STEP, this);
5031            mBackupHandler.sendMessage(msg);
5032        }
5033    }
5034
5035    class PerformClearTask implements Runnable {
5036        IBackupTransport mTransport;
5037        PackageInfo mPackage;
5038
5039        PerformClearTask(IBackupTransport transport, PackageInfo packageInfo) {
5040            mTransport = transport;
5041            mPackage = packageInfo;
5042        }
5043
5044        public void run() {
5045            try {
5046                // Clear the on-device backup state to ensure a full backup next time
5047                File stateDir = new File(mBaseStateDir, mTransport.transportDirName());
5048                File stateFile = new File(stateDir, mPackage.packageName);
5049                stateFile.delete();
5050
5051                // Tell the transport to remove all the persistent storage for the app
5052                // TODO - need to handle failures
5053                mTransport.clearBackupData(mPackage);
5054            } catch (RemoteException e) {
5055                // can't happen; the transport is local
5056            } catch (Exception e) {
5057                Slog.e(TAG, "Transport threw attempting to clear data for " + mPackage);
5058            } finally {
5059                try {
5060                    // TODO - need to handle failures
5061                    mTransport.finishBackup();
5062                } catch (RemoteException e) {
5063                    // can't happen; the transport is local
5064                }
5065
5066                // Last but not least, release the cpu
5067                mWakelock.release();
5068            }
5069        }
5070    }
5071
5072    class PerformInitializeTask implements Runnable {
5073        HashSet<String> mQueue;
5074
5075        PerformInitializeTask(HashSet<String> transportNames) {
5076            mQueue = transportNames;
5077        }
5078
5079        public void run() {
5080            try {
5081                for (String transportName : mQueue) {
5082                    IBackupTransport transport = getTransport(transportName);
5083                    if (transport == null) {
5084                        Slog.e(TAG, "Requested init for " + transportName + " but not found");
5085                        continue;
5086                    }
5087
5088                    Slog.i(TAG, "Initializing (wiping) backup transport storage: " + transportName);
5089                    EventLog.writeEvent(EventLogTags.BACKUP_START, transport.transportDirName());
5090                    long startRealtime = SystemClock.elapsedRealtime();
5091                    int status = transport.initializeDevice();
5092
5093                    if (status == BackupConstants.TRANSPORT_OK) {
5094                        status = transport.finishBackup();
5095                    }
5096
5097                    // Okay, the wipe really happened.  Clean up our local bookkeeping.
5098                    if (status == BackupConstants.TRANSPORT_OK) {
5099                        Slog.i(TAG, "Device init successful");
5100                        int millis = (int) (SystemClock.elapsedRealtime() - startRealtime);
5101                        EventLog.writeEvent(EventLogTags.BACKUP_INITIALIZE);
5102                        resetBackupState(new File(mBaseStateDir, transport.transportDirName()));
5103                        EventLog.writeEvent(EventLogTags.BACKUP_SUCCESS, 0, millis);
5104                        synchronized (mQueueLock) {
5105                            recordInitPendingLocked(false, transportName);
5106                        }
5107                    } else {
5108                        // If this didn't work, requeue this one and try again
5109                        // after a suitable interval
5110                        Slog.e(TAG, "Transport error in initializeDevice()");
5111                        EventLog.writeEvent(EventLogTags.BACKUP_TRANSPORT_FAILURE, "(initialize)");
5112                        synchronized (mQueueLock) {
5113                            recordInitPendingLocked(true, transportName);
5114                        }
5115                        // do this via another alarm to make sure of the wakelock states
5116                        long delay = transport.requestBackupTime();
5117                        if (DEBUG) Slog.w(TAG, "init failed on "
5118                                + transportName + " resched in " + delay);
5119                        mAlarmManager.set(AlarmManager.RTC_WAKEUP,
5120                                System.currentTimeMillis() + delay, mRunInitIntent);
5121                    }
5122                }
5123            } catch (RemoteException e) {
5124                // can't happen; the transports are local
5125            } catch (Exception e) {
5126                Slog.e(TAG, "Unexpected error performing init", e);
5127            } finally {
5128                // Done; release the wakelock
5129                mWakelock.release();
5130            }
5131        }
5132    }
5133
5134    private void dataChangedImpl(String packageName) {
5135        HashSet<String> targets = dataChangedTargets(packageName);
5136        dataChangedImpl(packageName, targets);
5137    }
5138
5139    private void dataChangedImpl(String packageName, HashSet<String> targets) {
5140        // Record that we need a backup pass for the caller.  Since multiple callers
5141        // may share a uid, we need to note all candidates within that uid and schedule
5142        // a backup pass for each of them.
5143        EventLog.writeEvent(EventLogTags.BACKUP_DATA_CHANGED, packageName);
5144
5145        if (targets == null) {
5146            Slog.w(TAG, "dataChanged but no participant pkg='" + packageName + "'"
5147                   + " uid=" + Binder.getCallingUid());
5148            return;
5149        }
5150
5151        synchronized (mQueueLock) {
5152            // Note that this client has made data changes that need to be backed up
5153            if (targets.contains(packageName)) {
5154                // Add the caller to the set of pending backups.  If there is
5155                // one already there, then overwrite it, but no harm done.
5156                BackupRequest req = new BackupRequest(packageName);
5157                if (mPendingBackups.put(packageName, req) == null) {
5158                    if (DEBUG) Slog.d(TAG, "Now staging backup of " + packageName);
5159
5160                    // Journal this request in case of crash.  The put()
5161                    // operation returned null when this package was not already
5162                    // in the set; we want to avoid touching the disk redundantly.
5163                    writeToJournalLocked(packageName);
5164
5165                    if (MORE_DEBUG) {
5166                        int numKeys = mPendingBackups.size();
5167                        Slog.d(TAG, "Now awaiting backup for " + numKeys + " participants:");
5168                        for (BackupRequest b : mPendingBackups.values()) {
5169                            Slog.d(TAG, "    + " + b);
5170                        }
5171                    }
5172                }
5173            }
5174        }
5175    }
5176
5177    // Note: packageName is currently unused, but may be in the future
5178    private HashSet<String> dataChangedTargets(String packageName) {
5179        // If the caller does not hold the BACKUP permission, it can only request a
5180        // backup of its own data.
5181        if ((mContext.checkPermission(android.Manifest.permission.BACKUP, Binder.getCallingPid(),
5182                Binder.getCallingUid())) == PackageManager.PERMISSION_DENIED) {
5183            synchronized (mBackupParticipants) {
5184                return mBackupParticipants.get(Binder.getCallingUid());
5185            }
5186        }
5187
5188        // a caller with full permission can ask to back up any participating app
5189        // !!! TODO: allow backup of ANY app?
5190        HashSet<String> targets = new HashSet<String>();
5191        synchronized (mBackupParticipants) {
5192            int N = mBackupParticipants.size();
5193            for (int i = 0; i < N; i++) {
5194                HashSet<String> s = mBackupParticipants.valueAt(i);
5195                if (s != null) {
5196                    targets.addAll(s);
5197                }
5198            }
5199        }
5200        return targets;
5201    }
5202
5203    private void writeToJournalLocked(String str) {
5204        RandomAccessFile out = null;
5205        try {
5206            if (mJournal == null) mJournal = File.createTempFile("journal", null, mJournalDir);
5207            out = new RandomAccessFile(mJournal, "rws");
5208            out.seek(out.length());
5209            out.writeUTF(str);
5210        } catch (IOException e) {
5211            Slog.e(TAG, "Can't write " + str + " to backup journal", e);
5212            mJournal = null;
5213        } finally {
5214            try { if (out != null) out.close(); } catch (IOException e) {}
5215        }
5216    }
5217
5218    // ----- IBackupManager binder interface -----
5219
5220    public void dataChanged(final String packageName) {
5221        final int callingUserHandle = UserHandle.getCallingUserId();
5222        if (callingUserHandle != UserHandle.USER_OWNER) {
5223            // App is running under a non-owner user profile.  For now, we do not back
5224            // up data from secondary user profiles.
5225            // TODO: backups for all user profiles.
5226            if (MORE_DEBUG) {
5227                Slog.v(TAG, "dataChanged(" + packageName + ") ignored because it's user "
5228                        + callingUserHandle);
5229            }
5230            return;
5231        }
5232
5233        final HashSet<String> targets = dataChangedTargets(packageName);
5234        if (targets == null) {
5235            Slog.w(TAG, "dataChanged but no participant pkg='" + packageName + "'"
5236                   + " uid=" + Binder.getCallingUid());
5237            return;
5238        }
5239
5240        mBackupHandler.post(new Runnable() {
5241                public void run() {
5242                    dataChangedImpl(packageName, targets);
5243                }
5244            });
5245    }
5246
5247    // Clear the given package's backup data from the current transport
5248    public void clearBackupData(String transportName, String packageName) {
5249        if (DEBUG) Slog.v(TAG, "clearBackupData() of " + packageName + " on " + transportName);
5250        PackageInfo info;
5251        try {
5252            info = mPackageManager.getPackageInfo(packageName, PackageManager.GET_SIGNATURES);
5253        } catch (NameNotFoundException e) {
5254            Slog.d(TAG, "No such package '" + packageName + "' - not clearing backup data");
5255            return;
5256        }
5257
5258        // If the caller does not hold the BACKUP permission, it can only request a
5259        // wipe of its own backed-up data.
5260        HashSet<String> apps;
5261        if ((mContext.checkPermission(android.Manifest.permission.BACKUP, Binder.getCallingPid(),
5262                Binder.getCallingUid())) == PackageManager.PERMISSION_DENIED) {
5263            apps = mBackupParticipants.get(Binder.getCallingUid());
5264        } else {
5265            // a caller with full permission can ask to back up any participating app
5266            // !!! TODO: allow data-clear of ANY app?
5267            if (DEBUG) Slog.v(TAG, "Privileged caller, allowing clear of other apps");
5268            apps = new HashSet<String>();
5269            int N = mBackupParticipants.size();
5270            for (int i = 0; i < N; i++) {
5271                HashSet<String> s = mBackupParticipants.valueAt(i);
5272                if (s != null) {
5273                    apps.addAll(s);
5274                }
5275            }
5276        }
5277
5278        // Is the given app an available participant?
5279        if (apps.contains(packageName)) {
5280            // found it; fire off the clear request
5281            if (DEBUG) Slog.v(TAG, "Found the app - running clear process");
5282            mBackupHandler.removeMessages(MSG_RETRY_CLEAR);
5283            synchronized (mQueueLock) {
5284                final IBackupTransport transport = getTransport(transportName);
5285                if (transport == null) {
5286                    // transport is currently unavailable -- make sure to retry
5287                    Message msg = mBackupHandler.obtainMessage(MSG_RETRY_CLEAR,
5288                            new ClearRetryParams(transportName, packageName));
5289                    mBackupHandler.sendMessageDelayed(msg, TRANSPORT_RETRY_INTERVAL);
5290                    return;
5291                }
5292                long oldId = Binder.clearCallingIdentity();
5293                mWakelock.acquire();
5294                Message msg = mBackupHandler.obtainMessage(MSG_RUN_CLEAR,
5295                        new ClearParams(transport, info));
5296                mBackupHandler.sendMessage(msg);
5297                Binder.restoreCallingIdentity(oldId);
5298            }
5299        }
5300    }
5301
5302    // Run a backup pass immediately for any applications that have declared
5303    // that they have pending updates.
5304    public void backupNow() {
5305        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP, "backupNow");
5306
5307        if (DEBUG) Slog.v(TAG, "Scheduling immediate backup pass");
5308        synchronized (mQueueLock) {
5309            // Because the alarms we are using can jitter, and we want an *immediate*
5310            // backup pass to happen, we restart the timer beginning with "next time,"
5311            // then manually fire the backup trigger intent ourselves.
5312            startBackupAlarmsLocked(BACKUP_INTERVAL);
5313            try {
5314                mRunBackupIntent.send();
5315            } catch (PendingIntent.CanceledException e) {
5316                // should never happen
5317                Slog.e(TAG, "run-backup intent cancelled!");
5318            }
5319        }
5320    }
5321
5322    boolean deviceIsProvisioned() {
5323        final ContentResolver resolver = mContext.getContentResolver();
5324        return (Settings.Global.getInt(resolver, Settings.Global.DEVICE_PROVISIONED, 0) != 0);
5325    }
5326
5327    // Run a *full* backup pass for the given package, writing the resulting data stream
5328    // to the supplied file descriptor.  This method is synchronous and does not return
5329    // to the caller until the backup has been completed.
5330    public void fullBackup(ParcelFileDescriptor fd, boolean includeApks,
5331            boolean includeObbs, boolean includeShared,
5332            boolean doAllApps, boolean includeSystem, String[] pkgList) {
5333        mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "fullBackup");
5334
5335        final int callingUserHandle = UserHandle.getCallingUserId();
5336        if (callingUserHandle != UserHandle.USER_OWNER) {
5337            throw new IllegalStateException("Backup supported only for the device owner");
5338        }
5339
5340        // Validate
5341        if (!doAllApps) {
5342            if (!includeShared) {
5343                // If we're backing up shared data (sdcard or equivalent), then we can run
5344                // without any supplied app names.  Otherwise, we'd be doing no work, so
5345                // report the error.
5346                if (pkgList == null || pkgList.length == 0) {
5347                    throw new IllegalArgumentException(
5348                            "Backup requested but neither shared nor any apps named");
5349                }
5350            }
5351        }
5352
5353        long oldId = Binder.clearCallingIdentity();
5354        try {
5355            // Doesn't make sense to do a full backup prior to setup
5356            if (!deviceIsProvisioned()) {
5357                Slog.i(TAG, "Full backup not supported before setup");
5358                return;
5359            }
5360
5361            if (DEBUG) Slog.v(TAG,