Add snapshotProfile APIs to installd
Add APIs that will snapshot the profile information of packages
in a well known location.
The snapshot ownership is given to AID_SYSTEM. The location is
next to the application reference profile:
/data/misc/profiles/ref/pkg_name/primary.prof.snapshot.
The intended flow for snapshotting profiles is:
mInstaller.snapshotProfile(appId, packageName, codePath);
// open profile snapshot
mInstaller.destroyProfileSnapshot(packageName, codePath);
The reference profile directory is made searchable by others
(in order for the system to be able to open the snapshot profile).
Test: installd_dexopt_test installd_utils_test
Bug: 30934496
Change-Id: Ic4973d5c67243d7724ecd24a238ed0ae8baadcc6
diff --git a/cmds/installd/InstalldNativeService.cpp b/cmds/installd/InstalldNativeService.cpp
index 4246536..93353bf 100644
--- a/cmds/installd/InstalldNativeService.cpp
+++ b/cmds/installd/InstalldNativeService.cpp
@@ -436,7 +436,7 @@
// profiles.
int shared_app_gid = multiuser_get_shared_gid(0, appId);
if ((shared_app_gid != -1) && fs_prepare_dir_strict(
- ref_profile_path.c_str(), 0700, shared_app_gid, shared_app_gid) != 0) {
+ ref_profile_path.c_str(), 0701, shared_app_gid, shared_app_gid) != 0) {
return error("Failed to prepare " + ref_profile_path);
}
}
@@ -1833,6 +1833,29 @@
return ok();
}
+binder::Status InstalldNativeService::snapshotProfile(int32_t appId, const std::string& packageName,
+ const std::string& codePath, bool* _aidl_return) {
+ ENFORCE_UID(AID_SYSTEM);
+ CHECK_ARGUMENT_PACKAGE_NAME(packageName);
+ std::lock_guard<std::recursive_mutex> lock(mLock);
+
+ *_aidl_return = snapshot_profile(appId, packageName, codePath);
+ return ok();
+}
+
+binder::Status InstalldNativeService::destroyProfileSnapshot(const std::string& packageName,
+ const std::string& codePath) {
+ ENFORCE_UID(AID_SYSTEM);
+ CHECK_ARGUMENT_PACKAGE_NAME(packageName);
+ std::lock_guard<std::recursive_mutex> lock(mLock);
+
+ std::string snapshot = create_snapshot_profile_path(packageName, codePath);
+ if ((unlink(snapshot.c_str()) != 0) && (errno != ENOENT)) {
+ return error("Failed to destroy profile snapshot for " + packageName + ":" + codePath);
+ }
+ return ok();
+}
+
binder::Status InstalldNativeService::dexopt(const std::string& apkPath, int32_t uid,
const std::unique_ptr<std::string>& packageName, const std::string& instructionSet,
int32_t dexoptNeeded, const std::unique_ptr<std::string>& outputPath, int32_t dexFlags,
diff --git a/cmds/installd/InstalldNativeService.h b/cmds/installd/InstalldNativeService.h
index c8db3df..f205efc 100644
--- a/cmds/installd/InstalldNativeService.h
+++ b/cmds/installd/InstalldNativeService.h
@@ -96,6 +96,11 @@
binder::Status clearAppProfiles(const std::string& packageName);
binder::Status destroyAppProfiles(const std::string& packageName);
+ binder::Status snapshotProfile(int32_t appId, const std::string& packageName,
+ const std::string& codePath, bool* _aidl_return);
+ binder::Status destroyProfileSnapshot(const std::string& packageName,
+ const std::string& codePath);
+
binder::Status idmap(const std::string& targetApkPath, const std::string& overlayApkPath,
int32_t uid);
binder::Status removeIdmap(const std::string& overlayApkPath);
diff --git a/cmds/installd/binder/android/os/IInstalld.aidl b/cmds/installd/binder/android/os/IInstalld.aidl
index 452a2b1..3374106 100644
--- a/cmds/installd/binder/android/os/IInstalld.aidl
+++ b/cmds/installd/binder/android/os/IInstalld.aidl
@@ -62,6 +62,9 @@
void clearAppProfiles(@utf8InCpp String packageName);
void destroyAppProfiles(@utf8InCpp String packageName);
+ boolean snapshotProfile(int appId, @utf8InCpp String packageName, @utf8InCpp String codePath);
+ void destroyProfileSnapshot(@utf8InCpp String packageName, @utf8InCpp String codePath);
+
void idmap(@utf8InCpp String targetApkPath, @utf8InCpp String overlayApkPath, int uid);
void removeIdmap(@utf8InCpp String overlayApkPath);
void rmPackageDir(@utf8InCpp String packageDir);
diff --git a/cmds/installd/dexopt.cpp b/cmds/installd/dexopt.cpp
index af2c527..8917684 100644
--- a/cmds/installd/dexopt.cpp
+++ b/cmds/installd/dexopt.cpp
@@ -561,14 +561,12 @@
}
}
-static bool create_profile(int uid, const std::string& profile) {
- unique_fd fd(TEMP_FAILURE_RETRY(open(profile.c_str(), O_CREAT | O_NOFOLLOW, 0600)));
+static unique_fd create_profile(uid_t uid, const std::string& profile, int32_t flags) {
+ unique_fd fd(TEMP_FAILURE_RETRY(open(profile.c_str(), flags, 0600)));
if (fd.get() < 0) {
- if (errno == EEXIST) {
- return true;
- } else {
+ if (errno != EEXIST) {
PLOG(ERROR) << "Failed to create profile " << profile;
- return false;
+ return invalid_unique_fd();
}
}
// Profiles should belong to the app; make sure of that by giving ownership to
@@ -576,27 +574,26 @@
// since dex2oat/profman will fail with SElinux denials.
if (fchown(fd.get(), uid, uid) < 0) {
PLOG(ERROR) << "Could not chwon profile " << profile;
- return false;
+ return invalid_unique_fd();
}
- return true;
+ return fd;
}
-static unique_fd open_profile(int uid, const std::string& profile, bool read_write) {
- // Check if we need to open the profile for a read-write operation. If so, we
- // might need to create the profile since the file might not be there. Reference
- // profiles are created on the fly so they might not exist beforehand.
- if (read_write) {
- if (!create_profile(uid, profile)) {
- return invalid_unique_fd();
- }
- }
- int flags = read_write ? O_RDWR : O_RDONLY;
+static unique_fd open_profile(uid_t uid, const std::string& profile, int32_t flags) {
// Do not follow symlinks when opening a profile:
// - primary profiles should not contain symlinks in their paths
// - secondary dex paths should have been already resolved and validated
flags |= O_NOFOLLOW;
- unique_fd fd(TEMP_FAILURE_RETRY(open(profile.c_str(), flags)));
+ // Check if we need to create the profile
+ // Reference profiles and snapshots are created on the fly; so they might not exist beforehand.
+ unique_fd fd;
+ if ((flags & O_CREAT) != 0) {
+ fd = create_profile(uid, profile, flags);
+ } else {
+ fd.reset(TEMP_FAILURE_RETRY(open(profile.c_str(), flags)));
+ }
+
if (fd.get() < 0) {
if (errno != ENOENT) {
// Profiles might be missing for various reasons. For example, in a
@@ -616,13 +613,19 @@
static unique_fd open_current_profile(uid_t uid, userid_t user, const std::string& location,
bool is_secondary_dex) {
std::string profile = create_current_profile_path(user, location, is_secondary_dex);
- return open_profile(uid, profile, /*read_write*/false);
+ return open_profile(uid, profile, O_RDONLY);
}
static unique_fd open_reference_profile(uid_t uid, const std::string& location, bool read_write,
bool is_secondary_dex) {
std::string profile = create_reference_profile_path(location, is_secondary_dex);
- return open_profile(uid, profile, read_write);
+ return open_profile(uid, profile, read_write ? (O_CREAT | O_RDWR) : O_RDONLY);
+}
+
+static unique_fd open_spnashot_profile(uid_t uid, const std::string& package_name,
+ const std::string& code_path) {
+ std::string profile = create_snapshot_profile_path(package_name, code_path);
+ return open_profile(uid, profile, O_CREAT | O_RDWR | O_TRUNC);
}
static void open_profile_files(uid_t uid, const std::string& location, bool is_secondary_dex,
@@ -2307,5 +2310,42 @@
}
}
+bool snapshot_profile(int32_t app_id, const std::string& package_name,
+ const std::string& code_path) {
+ int app_shared_gid = multiuser_get_shared_gid(/*user_id*/ 0, app_id);
+
+ unique_fd snapshot_fd = open_spnashot_profile(AID_SYSTEM, package_name, code_path);
+ if (snapshot_fd < 0) {
+ return false;
+ }
+
+ std::vector<unique_fd> profiles_fd;
+ unique_fd reference_profile_fd;
+ open_profile_files(app_shared_gid, package_name, /*is_secondary_dex*/ false, &profiles_fd,
+ &reference_profile_fd);
+ if (profiles_fd.empty() || (reference_profile_fd.get() < 0)) {
+ return false;
+ }
+
+ profiles_fd.push_back(std::move(reference_profile_fd));
+
+ pid_t pid = fork();
+ if (pid == 0) {
+ /* child -- drop privileges before continuing */
+ drop_capabilities(app_shared_gid);
+ run_profman_merge(profiles_fd, snapshot_fd);
+ exit(42); /* only get here on exec failure */
+ }
+
+ /* parent */
+ int return_code = wait_child(pid);
+ if (!WIFEXITED(return_code)) {
+ LOG(WARNING) << "profman failed for " << package_name << ":" << code_path;
+ return false;
+ }
+
+ return true;
+}
+
} // namespace installd
} // namespace android
diff --git a/cmds/installd/dexopt.h b/cmds/installd/dexopt.h
index 1f41e67..8ece893 100644
--- a/cmds/installd/dexopt.h
+++ b/cmds/installd/dexopt.h
@@ -50,6 +50,17 @@
// the reference profiles accessible with open_reference_profile().
bool analyze_primary_profiles(uid_t uid, const std::string& pkgname);
+// Create a snapshot of the profile information for the given package and code path.
+// The profile snapshot is the aggregation of all existing profiles (all current user
+// profiles & the reference profile) and is meant to capture the all the profile information
+// without performing a merge into the reference profile which might impact future dex2oat
+// compilations.
+// The snapshot is created next to the reference profile of the package and the
+// ownership is assigned to AID_SYSTEM.
+// The snapshot location is reference_profile_location.snapshot. If a snapshot is already
+// there, it will be truncated and overwritten.
+bool snapshot_profile(int32_t app_id, const std::string& package, const std::string& code_path);
+
bool dump_profiles(int32_t uid, const std::string& pkgname, const char* code_paths);
bool copy_system_profile(const std::string& system_profile,
diff --git a/cmds/installd/tests/installd_dexopt_test.cpp b/cmds/installd/tests/installd_dexopt_test.cpp
index 821b96f..19b42b5 100644
--- a/cmds/installd/tests/installd_dexopt_test.cpp
+++ b/cmds/installd/tests/installd_dexopt_test.cpp
@@ -14,20 +14,33 @@
* limitations under the License.
*/
+#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/stringprintf.h>
+#include <android-base/unique_fd.h>
+
#include <cutils/properties.h>
+
#include <gtest/gtest.h>
+#include <selinux/android.h>
+#include <selinux/avc.h>
+
#include "dexopt.h"
#include "InstalldNativeService.h"
#include "globals.h"
#include "tests/test_utils.h"
#include "utils.h"
+using android::base::ReadFully;
+using android::base::unique_fd;
+
namespace android {
namespace installd {
@@ -76,6 +89,42 @@
::chmod(path.c_str(), mode);
}
+static int log_callback(int type, const char *fmt, ...) { // NOLINT
+ va_list ap;
+ int priority;
+
+ switch (type) {
+ case SELINUX_WARNING:
+ priority = ANDROID_LOG_WARN;
+ break;
+ case SELINUX_INFO:
+ priority = ANDROID_LOG_INFO;
+ break;
+ default:
+ priority = ANDROID_LOG_ERROR;
+ break;
+ }
+ va_start(ap, fmt);
+ LOG_PRI_VA(priority, "SELinux", fmt, ap);
+ va_end(ap);
+ return 0;
+}
+
+static bool init_selinux() {
+ int selinux_enabled = (is_selinux_enabled() > 0);
+
+ union selinux_callback cb;
+ cb.func_log = log_callback;
+ selinux_set_callback(SELINUX_CB_LOG, cb);
+
+ if (selinux_enabled && selinux_status_open(true) < 0) {
+ LOG(ERROR) << "Could not open selinux status; exiting";
+ return false;
+ }
+
+ return true;
+}
+
// Base64 encoding of a simple dex files with 2 methods.
static const char kDexFile[] =
"UEsDBBQAAAAIAOiOYUs9y6BLCgEAABQCAAALABwAY2xhc3Nlcy5kZXhVVAkAA/Ns+lkOHv1ZdXgL"
@@ -97,6 +146,7 @@
static constexpr int32_t kAppDataFlags = FLAG_STORAGE_CE | FLAG_STORAGE_DE;
static constexpr uid_t kTestAppUid = 19999;
static constexpr gid_t kTestAppGid = 19999;
+ static constexpr uid_t kTestAppId = kTestAppUid;
static constexpr int32_t kTestUserId = 0;
InstalldNativeService* service_;
@@ -116,15 +166,18 @@
virtual void SetUp() {
setenv("ANDROID_LOG_TAGS", "*:v", 1);
android::base::InitLogging(nullptr);
-
+ // Initialize the globals holding the file system main paths (/data/, /system/ etc..).
+ // This is needed in order to compute the application and profile paths.
+ ASSERT_TRUE(init_globals_from_data_and_root());
+ // Initialize selinux log callbacks.
+ // This ensures that selinux is up and running and re-directs the selinux messages
+ // to logcat (in order to make it easier to investigate test results).
+ ASSERT_TRUE(init_selinux());
service_ = new InstalldNativeService();
volume_uuid_ = nullptr;
package_name_ = "com.installd.test.dexopt";
se_info_ = "default";
-
- init_globals_from_data_and_root();
-
app_apk_dir_ = android_app_dir + package_name_;
create_mock_app();
@@ -183,14 +236,14 @@
}
- std::string get_secondary_dex_artifact(const std::string& path, const std::string& type) {
+ std::string GetSecondaryDexArtifact(const std::string& path, const std::string& type) {
std::string::size_type end = path.rfind('.');
std::string::size_type start = path.rfind('/', end);
return path.substr(0, start) + "/oat/" + kRuntimeIsa + "/" +
path.substr(start + 1, end - start) + type;
}
- void compile_secondary_dex(const std::string& path, int32_t dex_storage_flag,
+ void CompileSecondaryDex(const std::string& path, int32_t dex_storage_flag,
bool should_binder_call_succeed, bool should_dex_be_compiled = true,
int uid = kTestAppUid) {
std::unique_ptr<std::string> package_name_ptr(new std::string(package_name_));
@@ -216,9 +269,9 @@
downgrade);
ASSERT_EQ(should_binder_call_succeed, result.isOk());
int expected_access = should_dex_be_compiled ? 0 : -1;
- std::string odex = get_secondary_dex_artifact(path, "odex");
- std::string vdex = get_secondary_dex_artifact(path, "vdex");
- std::string art = get_secondary_dex_artifact(path, "art");
+ std::string odex = GetSecondaryDexArtifact(path, "odex");
+ std::string vdex = GetSecondaryDexArtifact(path, "vdex");
+ std::string art = GetSecondaryDexArtifact(path, "art");
ASSERT_EQ(expected_access, access(odex.c_str(), R_OK));
ASSERT_EQ(expected_access, access(vdex.c_str(), R_OK));
ASSERT_EQ(-1, access(art.c_str(), R_OK)); // empty profiles do not generate an image.
@@ -243,56 +296,64 @@
ASSERT_EQ(should_dex_exist, out_secondary_dex_exists);
int expected_access = should_dex_be_deleted ? -1 : 0;
- std::string odex = get_secondary_dex_artifact(path, "odex");
- std::string vdex = get_secondary_dex_artifact(path, "vdex");
- std::string art = get_secondary_dex_artifact(path, "art");
+ std::string odex = GetSecondaryDexArtifact(path, "odex");
+ std::string vdex = GetSecondaryDexArtifact(path, "vdex");
+ std::string art = GetSecondaryDexArtifact(path, "art");
ASSERT_EQ(expected_access, access(odex.c_str(), F_OK));
ASSERT_EQ(expected_access, access(vdex.c_str(), F_OK));
ASSERT_EQ(-1, access(art.c_str(), R_OK)); // empty profiles do not generate an image.
}
+
+ void CheckFileAccess(const std::string& file, uid_t uid, gid_t gid, mode_t mode) {
+ struct stat st;
+ ASSERT_EQ(0, stat(file.c_str(), &st));
+ ASSERT_EQ(uid, st.st_uid);
+ ASSERT_EQ(gid, st.st_gid);
+ ASSERT_EQ(mode, st.st_mode);
+ }
};
TEST_F(DexoptTest, DexoptSecondaryCe) {
LOG(INFO) << "DexoptSecondaryCe";
- compile_secondary_dex(secondary_dex_ce_, DEXOPT_STORAGE_CE,
+ CompileSecondaryDex(secondary_dex_ce_, DEXOPT_STORAGE_CE,
/*binder_ok*/ true, /*compile_ok*/ true);
}
TEST_F(DexoptTest, DexoptSecondaryCeLink) {
LOG(INFO) << "DexoptSecondaryCeLink";
- compile_secondary_dex(secondary_dex_ce_link_, DEXOPT_STORAGE_CE,
+ CompileSecondaryDex(secondary_dex_ce_link_, DEXOPT_STORAGE_CE,
/*binder_ok*/ true, /*compile_ok*/ true);
}
TEST_F(DexoptTest, DexoptSecondaryDe) {
LOG(INFO) << "DexoptSecondaryDe";
- compile_secondary_dex(secondary_dex_de_, DEXOPT_STORAGE_DE,
+ CompileSecondaryDex(secondary_dex_de_, DEXOPT_STORAGE_DE,
/*binder_ok*/ true, /*compile_ok*/ true);
}
TEST_F(DexoptTest, DexoptSecondaryDoesNotExist) {
LOG(INFO) << "DexoptSecondaryDoesNotExist";
// If the file validates but does not exist we do not treat it as an error.
- compile_secondary_dex(secondary_dex_ce_ + "not.there", DEXOPT_STORAGE_CE,
+ CompileSecondaryDex(secondary_dex_ce_ + "not.there", DEXOPT_STORAGE_CE,
/*binder_ok*/ true, /*compile_ok*/ false);
}
TEST_F(DexoptTest, DexoptSecondaryStorageValidationError) {
LOG(INFO) << "DexoptSecondaryStorageValidationError";
- compile_secondary_dex(secondary_dex_ce_, DEXOPT_STORAGE_DE,
+ CompileSecondaryDex(secondary_dex_ce_, DEXOPT_STORAGE_DE,
/*binder_ok*/ false, /*compile_ok*/ false);
}
TEST_F(DexoptTest, DexoptSecondaryAppOwnershipValidationError) {
LOG(INFO) << "DexoptSecondaryAppOwnershipValidationError";
- compile_secondary_dex("/data/data/random.app/secondary.jar", DEXOPT_STORAGE_CE,
+ CompileSecondaryDex("/data/data/random.app/secondary.jar", DEXOPT_STORAGE_CE,
/*binder_ok*/ false, /*compile_ok*/ false);
}
TEST_F(DexoptTest, DexoptSecondaryAcessViaDifferentUidError) {
LOG(INFO) << "DexoptSecondaryAcessViaDifferentUidError";
- compile_secondary_dex(secondary_dex_ce_, DEXOPT_STORAGE_CE,
+ CompileSecondaryDex(secondary_dex_ce_, DEXOPT_STORAGE_CE,
/*binder_ok*/ false, /*compile_ok*/ false, kSystemUid);
}
@@ -300,9 +361,9 @@
class ReconcileTest : public DexoptTest {
virtual void SetUp() {
DexoptTest::SetUp();
- compile_secondary_dex(secondary_dex_ce_, DEXOPT_STORAGE_CE,
+ CompileSecondaryDex(secondary_dex_ce_, DEXOPT_STORAGE_CE,
/*binder_ok*/ true, /*compile_ok*/ true);
- compile_secondary_dex(secondary_dex_de_, DEXOPT_STORAGE_DE,
+ CompileSecondaryDex(secondary_dex_de_, DEXOPT_STORAGE_DE,
/*binder_ok*/ true, /*compile_ok*/ true);
}
};
@@ -355,5 +416,145 @@
/*binder_ok*/ true, /*dex_ok */ false, /*odex_deleted*/ false, kSystemUid);
}
+class ProfileTest : public DexoptTest {
+ protected:
+ std::string cur_profile_;
+ std::string ref_profile_;
+ std::string snap_profile_;
+
+ virtual void SetUp() {
+ DexoptTest::SetUp();
+ cur_profile_ = create_current_profile_path(
+ kTestUserId, package_name_, /*is_secondary_dex*/ false);
+ ref_profile_ = create_reference_profile_path(package_name_, /*is_secondary_dex*/ false);
+ snap_profile_ = create_snapshot_profile_path(package_name_, "base.jar");
+ }
+
+ void SetupProfile(const std::string& path, uid_t uid, gid_t gid, mode_t mode, int32_t seed) {
+ run_cmd("profman --generate-test-profile-seed=" + std::to_string(seed) +
+ " --generate-test-profile-num-dex=2 --generate-test-profile=" + path);
+ ::chmod(path.c_str(), mode);
+ ::chown(path.c_str(), uid, gid);
+ }
+
+ void SetupProfiles(bool setup_ref) {
+ SetupProfile(cur_profile_, kTestAppUid, kTestAppGid, 0600, 1);
+ if (setup_ref) {
+ SetupProfile(ref_profile_, kTestAppUid, kTestAppGid, 0060, 2);
+ }
+ }
+
+ void SnapshotProfile(int32_t appid, const std::string& package_name, bool expected_result) {
+ bool result;
+ binder::Status binder_result = service_->snapshotProfile(
+ appid, package_name, "base.jar", &result);
+ ASSERT_TRUE(binder_result.isOk());
+ ASSERT_EQ(expected_result, result);
+
+ if (!expected_result) {
+ // Do not check the files if we expect to fail.
+ return;
+ }
+
+ // Check that the snapshot was created witht he expected acess flags.
+ CheckFileAccess(snap_profile_, kSystemUid, kSystemGid, 0600 | S_IFREG);
+
+ // The snapshot should be equivalent to the merge of profiles.
+ std::string expected_profile_content = snap_profile_ + ".expected";
+ run_cmd("rm -f " + expected_profile_content);
+ run_cmd("touch " + expected_profile_content);
+ run_cmd("profman --profile-file=" + cur_profile_ +
+ " --profile-file=" + ref_profile_ +
+ " --reference-profile-file=" + expected_profile_content);
+
+ ASSERT_TRUE(AreFilesEqual(expected_profile_content, snap_profile_));
+
+ pid_t pid = fork();
+ if (pid == 0) {
+ /* child */
+ TransitionToSystemServer();
+
+ // System server should be able to open the the spanshot.
+ unique_fd fd(open(snap_profile_.c_str(), O_RDONLY));
+ ASSERT_TRUE(fd > -1) << "Failed to open profile as kSystemUid: " << strerror(errno);
+ _exit(0);
+ }
+ /* parent */
+ ASSERT_TRUE(WIFEXITED(wait_child(pid)));
+ }
+
+ private:
+ void TransitionToSystemServer() {
+ ASSERT_TRUE(DropCapabilities(kSystemUid, kSystemGid));
+ int32_t res = selinux_android_setcontext(
+ kSystemUid, true, se_info_.c_str(), "system_server");
+ ASSERT_EQ(0, res) << "Failed to setcon " << strerror(errno);
+ }
+
+ bool AreFilesEqual(const std::string& file1, const std::string& file2) {
+ std::vector<uint8_t> content1;
+ std::vector<uint8_t> content2;
+
+ if (!ReadAll(file1, &content1)) return false;
+ if (!ReadAll(file2, &content2)) return false;
+ return content1 == content2;
+ }
+
+ bool ReadAll(const std::string& file, std::vector<uint8_t>* content) {
+ unique_fd fd(open(file.c_str(), O_RDONLY));
+ if (fd < 0) {
+ PLOG(ERROR) << "Failed to open " << file;
+ return false;
+ }
+ struct stat st;
+ if (fstat(fd, &st) != 0) {
+ PLOG(ERROR) << "Failed to stat " << file;
+ return false;
+ }
+ content->resize(st.st_size);
+ bool result = ReadFully(fd, content->data(), content->size());
+ if (!result) {
+ PLOG(ERROR) << "Failed to read " << file;
+ }
+ return result;
+ }
+};
+
+TEST_F(ProfileTest, ProfileSnapshotOk) {
+ LOG(INFO) << "ProfileSnapshotOk";
+
+ SetupProfiles(/*setup_ref*/ true);
+ SnapshotProfile(kTestAppId, package_name_, /*expected_result*/ true);
+}
+
+// The reference profile is created on the fly. We need to be able to
+// snapshot without one.
+TEST_F(ProfileTest, ProfileSnapshotOkNoReference) {
+ LOG(INFO) << "ProfileSnapshotOkNoReference";
+
+ SetupProfiles(/*setup_ref*/ false);
+ SnapshotProfile(kTestAppId, package_name_, /*expected_result*/ true);
+}
+
+TEST_F(ProfileTest, ProfileSnapshotFailWrongPackage) {
+ LOG(INFO) << "ProfileSnapshotFailWrongPackage";
+
+ SetupProfiles(/*setup_ref*/ true);
+ SnapshotProfile(kTestAppId, "not.there", /*expected_result*/ false);
+}
+
+TEST_F(ProfileTest, ProfileSnapshotDestroySnapshot) {
+ LOG(INFO) << "ProfileSnapshotDestroySnapshot";
+
+ SetupProfiles(/*setup_ref*/ true);
+ SnapshotProfile(kTestAppId, package_name_, /*expected_result*/ true);
+
+ binder::Status binder_result = service_->destroyProfileSnapshot(package_name_, "base.jar");
+ ASSERT_TRUE(binder_result.isOk());
+ struct stat st;
+ ASSERT_EQ(-1, stat(snap_profile_.c_str(), &st));
+ ASSERT_EQ(ENOENT, errno);
+}
+
} // namespace installd
} // namespace android
diff --git a/cmds/installd/tests/installd_utils_test.cpp b/cmds/installd/tests/installd_utils_test.cpp
index a6a4451..49da85d 100644
--- a/cmds/installd/tests/installd_utils_test.cpp
+++ b/cmds/installd/tests/installd_utils_test.cpp
@@ -350,6 +350,12 @@
create_reference_profile_path("com.example", /*is_secondary*/false));
}
+TEST_F(UtilsTest, CreateProfileSnapshot) {
+ std::string expected =
+ create_primary_reference_profile_package_dir_path("com.example") + "/primary.prof.snapshot";
+ EXPECT_EQ(expected, create_snapshot_profile_path("com.example", "base.apk"));
+}
+
TEST_F(UtilsTest, CreateSecondaryCurrentProfile) {
EXPECT_EQ("/data/user/0/com.example/oat/secondary.dex.cur.prof",
create_current_profile_path(/*user*/0,
diff --git a/cmds/installd/tests/test_utils.h b/cmds/installd/tests/test_utils.h
index 7d1162e..b8785c6 100644
--- a/cmds/installd/tests/test_utils.h
+++ b/cmds/installd/tests/test_utils.h
@@ -1,6 +1,9 @@
-#include <android-base/logging.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/capability.h>
+
+#include <android-base/logging.h>
+#include <selinux/android.h>
uint8_t kBase64Map[256] = {
255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
@@ -105,3 +108,27 @@
}
return true;
}
+
+// TODO(calin): fix dexopt drop_capabilities and move to general utils (b/69678790).
+bool DropCapabilities(uid_t uid, gid_t gid) {
+ if (setgid(gid) != 0) {
+ PLOG(ERROR) << "setgid failed: " << gid;
+ return false;
+ }
+ if (setuid(uid) != 0) {
+ PLOG(ERROR) << "setuid failed: " << uid;
+ return false;
+ }
+ // drop capabilities
+ struct __user_cap_header_struct capheader;
+ struct __user_cap_data_struct capdata[2];
+ memset(&capheader, 0, sizeof(capheader));
+ memset(&capdata, 0, sizeof(capdata));
+ capheader.version = _LINUX_CAPABILITY_VERSION_3;
+ if (capset(&capheader, &capdata[0]) < 0) {
+ PLOG(ERROR) << "capset failed";
+ return false;
+ }
+
+ return true;
+}
diff --git a/cmds/installd/utils.cpp b/cmds/installd/utils.cpp
index 7dca7c6..61c9c8f 100644
--- a/cmds/installd/utils.cpp
+++ b/cmds/installd/utils.cpp
@@ -236,6 +236,7 @@
const std::string PROFILE_EXT = ".prof";
const std::string CURRENT_PROFILE_EXT = ".cur";
const std::string PRIMARY_PROFILE_NAME = "primary" + PROFILE_EXT;
+const std::string SNAPSHOT_PROFILE_EXT = ".snapshot";
// Gets the parent directory and the file name for the given secondary dex path.
// Returns true on success, false on failure (if the dex_path does not have the expected
@@ -289,6 +290,14 @@
}
}
+std::string create_snapshot_profile_path(const std::string& package,
+ const std::string& code_path ATTRIBUTE_UNUSED) {
+ // TODD(calin): code_path is ignored for now. It will be used when each split gets its own
+ // profile file.
+ std::string ref_profile = create_reference_profile_path(package, /*is_secondary_dex*/ false);
+ return ref_profile + SNAPSHOT_PROFILE_EXT;
+}
+
std::vector<userid_t> get_known_users(const char* volume_uuid) {
std::vector<userid_t> users;
diff --git a/cmds/installd/utils.h b/cmds/installd/utils.h
index b90caf9..5391061 100644
--- a/cmds/installd/utils.h
+++ b/cmds/installd/utils.h
@@ -83,6 +83,7 @@
userid_t user, const std::string& package_name, bool is_secondary_dex);
std::string create_reference_profile_path(
const std::string& package_name, bool is_secondary_dex);
+std::string create_snapshot_profile_path(const std::string& package, const std::string& code_path);
std::vector<userid_t> get_known_users(const char* volume_uuid);