when user is removed.
For non system users, backup state is stored in both the user's own dir and the system dir.
When the user is removed, the user's own dir gets removed by the OS. This code change ensures
that the part of the user backup state which is in the system dir also gets removed.
Bug: 127650374
Test: atest -v CtsBackupHostTestCases:android.cts.backup.MultiUserBackupStateTest
Change-Id: I4ea252e8e6da608e36ec3ac335666923d88a8748
See build/soong/README.md for more information.
Bug: 122332340
Test: m media
Test: m RunBackupFrameworksServicesRoboTests
Change-Id: Ieb54feb3902bddfd5a571369fbf50161ae646647
Key changes in this CL:
- Backup is now disabled by default in non-system users unless DPM
activates backup for this user AND the system user is activated. This
provides gating for the multi-user B&R feature.
- Activation is done via an 'activate' file that is per-user (but lives
in the system user directory to account for locked users).
- isBackupServiceActive() handles both locked and unlocked users.
- Added a bmgr command to expose isBackupServiceActive() for testing
purposes and enforce appropriate permissions.
Future CLs:
- Handle future migration to backup on by default for non-system users
- Change CTS tests to use the new bmgr command
Bug: 121306407
Test: 1) atest TrampolineTest
2) Start system user -> service started; run backup and restore
successfully
3) Start non-system user -> ignored;
4) adb shell bmgr --user 0 activate true -> security exception;
adb shell bmgr --user 10 activate true -> security exception (work
profile);
adb shell bmgr --user 11 activate true/false -> creates/deletes activate
file and starts/stops the service
Change-Id: Ic77db9b8b2e5170dcf89bef863dac4713730797a
Bug: 118480337
Test: 1) atest RunFrameworksServicesRoboTests
2) atest BmgrTest
3) atest CtsBackupTestCases
4) atest CtsBackupHostTestCases
5) atest GtsBackupTestCases
6) atest GtsBackupHostTestCases
UsageStatsRestoreHostSideTest fails. I verified locally that this test
fails without this change too.
7) flashed device and ran:adb shell bmgr --user 10 backupnow --all
Logs and output are as expected since backupservice isnt active for user 10
log: Bmgr : Running backupnow for user:10
output: Error: Could not access the Backup Manager. Is the system running
8) flashed device and ran:adb shell bmgr backupnow --all
log: Bmgr : Running backupnow for user:0
output:
Running incremental backup for all packages.
Package @pm@ with result: Success
....
Backup finished with result: Success
Change-Id: Icfebe26f36276ea687d15c9f9c361c409313ae9d
Also put comment on RestoreSession saying that it doesn't kill the app
in the end.
Bug: 29255593
Test: Builds
adb shell bmgr help, verify usage
adb shell bmgr restore android, verify no-op
Change-Id: I89304149ea6c03a80937e321cf3a46fd173308e2
If BMS is not running, we should not run any bmgr commands and print an
error. This can occur after a device with a lockscreen reboots and has
not unlocked yet, as the backup service is not active before unlocking.
Bug: 80691476
Test: 1) Device with lock + adb reboot -> run any 'adb shell bmgr'
command -> prints error
2) Device with no lock + adb reboot -> run any 'adb shell bmgr' command
-> success
Change-Id: I101b61d18a637cdb945ffc4a5e989a5dd270ee32
Says that backups can be canceled if one already running. Put message
for running backups in dumpsys for checking.
Bug: 72484277
Test: Triggered backup, checked dumpsys and bmgr backupnow
Change-Id: I028cf663858e374389f50175aaf5a3e8c9d45e42
Migrate usages of the transport binder to binding on-demand:
* getDestinationString()
* isAppEligibleForBackup()
* dump()
For getDestinationString() we'll be introducing an invisible bug for
people that haven't updated GMSCore to include the usage of
updateTransportAttributes() API introduced in earlier CL. The bug is
that that text won't change, it'll remain constant. It's invisible
because currently only place that uses that method is Settings in some
circumstances that depend on the transport, and those circunstances
don't happen with our transports. Check http://ag/1831025.
For isAppEligibleForBackup(), a new filterAppsEligibleForBackup() is
created and there we bind on-demand.
Change-Id: Idc9e31f0e8eda8531e204c05a84fafdaf0247d08
Ref: http://go/br-binding-on-demand
Bug: 17140907
Test: adb shell dumpsys backup, observe destination of transports
Test: adb shell bmgr backupnow --all, observe only eligible apps got backed-up
Test: Force-loaded settings screen and observed destination string
Test: m -j RunFrameworksServicesRoboTests
Without this, exec()ing these fails.
Found with `grep -L bin/sh $(grep -Rl Script)`
Bug: None
Test: exec()ed each of these scripts; I no longer get "exec format
error" for any of them.
Change-Id: I47db5007e5cc14ab91eb846b7bffecb925d37874
bmgr init TRANSPORT [...]
will run an init operation on each named transport, blocking
until the operations have all completed.
Bug 62253989
Test: manual
Change-Id: I7dbd94293738d5ecf195764f5b28905253819791
This CL adds more instumentation to
backup/restore operation in the BackupManager. For more details please
point to:
https://docs.google.com/document/d/1sUboR28LjkT1wRXOwVOV3tLo0qisiCvzxIGmzCVEjbI/edit#
This first Cl introduces 3 events that we sent to the monitor.
The base cl is ag/1835775
Test: TODO
BUG: 34873525
Change-Id: I127fe739a7522078eecce2ae689a4607203a98da
This is the first CL of many that will add instumentation to
backup/restore operation in the BackupManager. For more details please
point to:
https://docs.google.com/document/d/1sUboR28LjkT1wRXOwVOV3tLo0qisiCvzxIGmzCVEjbI/edit#
This first Cl introduces 3 events that we sent to the monitor.
Test: ag/1858962 (same topic)
BUG: 34873525
Change-Id: I6c338b6fd9f4d7c8670dac201897250b6b170677
This cl adds an API to select a backup
transport by its component name and
receive a callback when BackupManager
is bound to the transport. Calling this API
will make BackupManager bind to the transport
if it isn't already bound to it.
Also fixes the issue where BackupManager would
detect only one transport per package.
Ref: go/backup-transport-switching
Bug: 33616220
Test: Manually tested. GTS tests will be put up shortly.
Change-Id: I8c23bdbb84ceb05eb1fad9b3a8b9c4441cb06c74
This cl adds a new requestBackup API to
BackupManager that takes in an int flag
to indicate whether the caller wants the
entire key value set to be passed to the
transport and not just a diff.
Change-Id: Ia225797a58c4431fe742f2f116b257d006b30cd1
Bug: 33749084
Ref: go/request-backup-api-changes
Test: GTS Test at ag/1774002
Replace some custom rules with BUILD_PREBUILT.
Move tools from ALL_PREBUILTS to BUILD_PREBUILT. All of them are already
in PRODUCT_PACKAGES in build/target/product/base.mk.
Remove uses of ACP and replace with core build system macros or 'cp'
Change-Id: I529e7c6c50fc64ad36b75bb47142f6bde909d141
Add support to QUOTA_EXCEEDED error output.
Command "backupnow --all" without parameters now starts backup of all eligible packages.
Change-Id: I563be35d575346d3dfb45a6dd254b387053c7ab7
(cherry picked from commit d5d68528bc)
The new command works as "bmgr backupnow [list of packages]"
This change should be submitted after ag/834173
Change-Id: Ie1cdd18a38653dd71a1d499620dd2afec3cbbb24
Also make it handle the list of packages to be backed up as a single
multiple-app argument to fullTransportBackup() rather than N calls
each backing up one app.
Change-Id: I9fe4d5caca54fafef70ffe9af4c26e3941dc5d26
Currently no timed/scheduled full-data backup operations are
performed by the OS, but the plumbing is now in place and can
be tested using 'adb shell bmgr fullbackup pkg [pkg2 pkg3 ...]'.
The LocalTransport test transport implementation has been augmented
to support the new full-data backup API as well.
In addition, 'adb backup' now takes the -compress/-nocompress
command line options to control whether the resulting archive is
compressed before leaving the device. Previously the archive was
always compressed. (The default is still to compress, as it will
usually reduce the archive size considerably.)
Internally, the core implementation of gathering the full backup
data stream from the target application has been refactored into
an "engine" component that is shared by both 'adb backup' and the
transport-oriented full backup task. The archive file header
generation, encryption, and compression logic are now factored out
of the engine itself instead of being hardwired into the data
handling.
Bug 15329632
Change-Id: I4a044faa4070d684ef457bd3e11771198cdf557c
The init & clear operations are particularly important to ensure
delivery when at all possible, so we retry those periodically
if the transport is unavailable when we first attempt them.
Now with 100% less build break.
Bug 11716868
Change-Id: I2af4e93788068cfac97c0a48d3568c561eefa23d
The init & clear operations are particularly important to ensure
delivery when at all possible, so we retry those periodically
if the transport is unavailable when we first attempt them.
Bug 11716868
Change-Id: I4860fe3d4e99618b2cd194c83162bd7cbd5a83a9
Adds the ability to filter a restore of an historical dataset so that it
only restores certain apps' data regardless of what is actually present
in the dataset. This is currently only used by the bmgr command-line tool,
for debugging / developer support.
Bug 2021590
Change-Id: I7685e5d609b0f5506f71d70c26410602bb387659
This is the basic infrastructure for pulling a full(*) backup of the
device's data over an adb(**) connection to the local device. The
basic process consists of these interacting pieces:
1. The framework's BackupManagerService, which coordinates the
collection of app data and routing to the destination.
2. A new framework-provided BackupAgent implementation called
FullBackupAgent, which is instantiated in the target applications'
processes in turn, and knows how to emit a datastream that contains
all of the app's saved data files.
3. A new shell-level program called "bu" that is used to bridge from
adb to the framework's Backup Manager.
4. adb itself, which now knows how to use 'bu' to kick off a backup
operation and pull the resulting data stream to the desktop host.
5. A system-provided application that verifies with the user that
an attempted backup/restore operation is in fact expected and to
be allowed.
The full agent implementation is not used during normal operation of
the delta-based app-customized remote backup process. Instead it's
used during user-confirmed *full* backup of applications and all their
data to a local destination, e.g. via the adb connection.
The output format is 'tar'. This makes it very easy for the end
user to examine the resulting dataset, e.g. for purpose of extracting
files for debug purposes; as well as making it easy to contemplate
adding things like a direct gzip stage to the data pipeline during
backup/restore. It also makes it convenient to construct and maintain
synthetic backup datasets for testing purposes.
Within the tar format, certain artificial conventions are used.
All files are stored within top-level directories according to
their semantic origin:
apps/pkgname/a/ : Application .apk file itself
apps/pkgname/obb/: The application's associated .obb containers
apps/pkgname/f/ : The subtree rooted at the getFilesDir() location
apps/pkgname/db/ : The subtree rooted at the getDatabasePath() parent
apps/pkgname/sp/ : The subtree rooted at the getSharedPrefsFile() parent
apps/pkgname/r/ : Files stored relative to the root of the app's file tree
apps/pkgname/c/ : Reserved for the app's getCacheDir() tree; not stored.
For each package, the first entry in the tar stream is a file called
"_manifest", nominally rooted at apps/pkgname. This file contains some
metadata about the package whose data is stored in the archive.
The contents of shared storage can optionally be included in the tar
stream. It is placed in the synthetic location:
shared/...
uid/gid are ignored; app uids are assigned at install time, and the
app's data is handled from within its own execution environment, so
will automatically have the app's correct uid.
Forward-locked .apk files are never backed up. System-partition
.apk files are not backed up unless they have been overridden by a
post-factory upgrade, in which case the current .apk *is* backed up --
i.e. the .apk that matches the on-disk data. The manifest preceding
each application's portion of the tar stream provides version numbers
and signature blocks for version checking, as well as an indication
of whether the restore logic should expect to install the .apk before
extracting the data.
System packages can designate their own full backup agents. This is
to manage things like the settings provider which (a) cannot be shut
down on the fly in order to do a clean snapshot of their file trees,
and (b) manage data that is not only irrelevant but actively hostile
to non-identical devices -- CDMA telephony settings would seriously
mess up a GSM device if emplaced there blind, for example.
When a full backup or restore is initiated from adb, the system will
present a confirmation UI that the user must explicitly respond to
within a short [~ 30 seconds] timeout. This is to avoid the
possibility of malicious desktop-side software secretly grabbing a copy
of all the user's data for nefarious purposes.
(*) The backup is not strictly a full mirror. In particular, the
settings database is not cloned; it is handled the same way that
it is in cloud backup/restore. This is because some settings
are actively destructive if cloned onto a different (or
especially a different-model) device: telephony settings and
AndroidID are good examples of this.
(**) On the framework side it doesn't care that it's adb; it just
sends the tar stream to a file descriptor. This can easily be
retargeted around whatever transport we might decide to use
in the future.
KNOWN ISSUES:
* the security UI is desperately ugly; no proper designs have yet
been done for it
* restore is not yet implemented
* shared storage backup is not yet implemented
* symlinks aren't yet handled, though some infrastructure for
dealing with them has been put in place.
Change-Id: Ia8347611e23b398af36ea22c36dff0a276b1ce91
The public API is not supposed to require the BACKUP permission in order
for an application to restore its own last-known-good backup data. However,
as currently implemented, BackupManager.requestRestore() [the public API
in question] depends on private Backup Manager methods that *do* enforce
that permission. The net result is that the method cannot be successfully
used by third party applications: it will throw an exception if attempted.
This CL restructures the permission checking involved.
First, the underlying beginRestoreSession() operation can now be passed a
'null' transport name; if this is done, then the restore session is begun
on whatever the currently-active transport is. Looking up the name of the
active transport is one of the permission-guarded actions that was required
with the initial implementation.
Second, a package name can now be passed to beginRestoreSession(). If
this is done, then the restore session can only be used to perform a
single-package restore of that one application. The BACKUP permission is
not required if the caller is tying the restore to its own package name.
In combination, these changes permit BackupManager.requestRestore() to
function without the calling app needing to hold any special permission.
The no-permission case is intentionally quite narrow: the caller must
hold the permission unless they both (a) pass 'null' for the transport
name, thereby accepting whatever the currently active transport is, and
(b) pass their own package name to restrict the restore session only
to their own app.
External bug http://code.google.com/p/android/issues/detail?id=10094
Internal bug 3197202
Change-Id: Ibc9d652323f2da03727d850f991b4096af6520d2
Properly guard against a null set of available restore sets when
validating the token passed to 'bmgr restore TOKEN' against what's
known to exist on the backend.
Fixes bug 3153986
Change-Id: I74bdd4c6242f682833c1633baa4fefccb2b165a7
This transaction can involve the transport having to query a remote backend
over the wire, so it can take a Long Time(tm). Make it main-thread-safe by
making it asynchronous, with the results passed as a callback to the invoker's
RestoreObserver. We also make the IRestoreObserver callback interface
properly oneway.
Bug #2550665
Bug #2549422
Change-Id: If18a233a0a3d54c7b55101715c9e6195b762c5a0
* @hide the android.app.backup.RestoreSession class and functionality
* Provide a public method on android.app.backup.BackupManager that apps
can use to request a restore pass of their last-known-good dataset.
The new method is called requestRestore().
* Provide the name of the package being restored, not just its ordinal,
in the RestoreObserver's onUpdate() callback.
Part of bug #2545514
Change-Id: I9689bf8d6e2b808b4ee412424a36a835be0a5ca8
Also sanity-check the package name on the Backup Manager side, failing gracefully
if the given package is not a backup/restore participant.
Bug: 2293977
Change-Id: I3575046ffcaa3cf45c1c602824baeadd64082f70
Renamed the RestoreSession performRestore() method to restoreAll(), and
added a new restorePackage() method that only restores the single
specified app. In order to restore an app other than itself, the
caller must hold the android.permission.BACKUP permission.
This change also introduces dataset tracking: the Backup Manager
persistently remembers both the current backup dataset's identity
and that of the "ancestral" dataset, i.e. the one most recently used
for a whole-device restore such as performed by SetupWizard. When a
single package is restored via restorePackage(), the selection of
most-recent dataset to use is this:
1. The data from the currently-active backup dataset, if such exists.
An app that has ever backed up data will therefore get its last-
known-good data.
2. The app's data from the ancestral dataset, if such exists. This
covers the case of a factory reset followed by reinstallation of
an app at a later time. The app had not yet backed anything up
post-wipe, but the old data is in the ancestral dataset and should
be brought forward when the app reappears.
3. If neither 1. nor 2. exist, there is no data to restore, so just
skip it and return failure.
Note that the infrastructure to automatically attempt a restore after
an application has been installed does not yet exist; that's coming.
Change-Id: I0ba170df9885128000c46ed28d3dddda3a63a143
Specifically, don't wait for the RestoreObserver to be informed that the restore
has completed unless performRestore() ran. We were winding up in a case where
bmgr was hanging forever waiting on a nonexistent restore process instead of
calling endRestoreSession().
Also improve the documentation, explicitly calling out the need to call
endRestoreSession() even if previous operations on the session were
unsuccessful.
