1 /*
2  * Copyright (C) 2018 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "apexd.h"
18 #include "apex_file_repository.h"
19 #include "apexd_private.h"
20 
21 #include "apex_constants.h"
22 #include "apex_database.h"
23 #include "apex_file.h"
24 #include "apex_manifest.h"
25 #include "apex_shim.h"
26 #include "apexd_checkpoint.h"
27 #include "apexd_lifecycle.h"
28 #include "apexd_loop.h"
29 #include "apexd_prepostinstall.h"
30 #include "apexd_rollback_utils.h"
31 #include "apexd_session.h"
32 #include "apexd_utils.h"
33 #include "apexd_verity.h"
34 #include "com_android_apex.h"
35 
36 #include <ApexProperties.sysprop.h>
37 #include <android-base/chrono_utils.h>
38 #include <android-base/file.h>
39 #include <android-base/logging.h>
40 #include <android-base/macros.h>
41 #include <android-base/parseint.h>
42 #include <android-base/properties.h>
43 #include <android-base/scopeguard.h>
44 #include <android-base/stringprintf.h>
45 #include <android-base/strings.h>
46 #include <android-base/unique_fd.h>
47 #include <google/protobuf/util/message_differencer.h>
48 #include <libavb/libavb.h>
49 #include <libdm/dm.h>
50 #include <libdm/dm_table.h>
51 #include <libdm/dm_target.h>
52 #include <selinux/android.h>
53 
54 #include <dirent.h>
55 #include <fcntl.h>
56 #include <linux/f2fs.h>
57 #include <linux/loop.h>
58 #include <stdlib.h>
59 #include <sys/inotify.h>
60 #include <sys/ioctl.h>
61 #include <sys/mount.h>
62 #include <sys/stat.h>
63 #include <sys/sysinfo.h>
64 #include <sys/types.h>
65 #include <unistd.h>
66 #include <algorithm>
67 
68 #include <algorithm>
69 #include <array>
70 #include <chrono>
71 #include <cstdlib>
72 #include <filesystem>
73 #include <fstream>
74 #include <future>
75 #include <iomanip>
76 #include <iterator>
77 #include <memory>
78 #include <mutex>
79 #include <optional>
80 #include <queue>
81 #include <sstream>
82 #include <string>
83 #include <string_view>
84 #include <thread>
85 #include <unordered_map>
86 #include <unordered_set>
87 
88 using android::base::boot_clock;
89 using android::base::ConsumePrefix;
90 using android::base::ErrnoError;
91 using android::base::Error;
92 using android::base::GetProperty;
93 using android::base::Join;
94 using android::base::ParseUint;
95 using android::base::ReadFully;
96 using android::base::RemoveFileIfExists;
97 using android::base::Result;
98 using android::base::SetProperty;
99 using android::base::StringPrintf;
100 using android::base::unique_fd;
101 using android::dm::DeviceMapper;
102 using android::dm::DmDeviceState;
103 using android::dm::DmTable;
104 using android::dm::DmTargetVerity;
105 using ::apex::proto::ApexManifest;
106 using apex::proto::SessionState;
107 using google::protobuf::util::MessageDifferencer;
108 
109 namespace android {
110 namespace apex {
111 
112 using MountedApexData = MountedApexDatabase::MountedApexData;
113 
114 namespace {
115 
116 static constexpr const char* kBuildFingerprintSysprop = "ro.build.fingerprint";
117 
118 // This should be in UAPI, but it's not :-(
119 static constexpr const char* kDmVerityRestartOnCorruption =
120     "restart_on_corruption";
121 
122 MountedApexDatabase gMountedApexes;
123 
124 std::optional<ApexdConfig> gConfig;
125 
126 CheckpointInterface* gVoldService;
127 bool gSupportsFsCheckpoints = false;
128 bool gInFsCheckpointMode = false;
129 
130 static constexpr size_t kLoopDeviceSetupAttempts = 3u;
131 
132 // Please DO NOT add new modules to this list without contacting mainline-modularization@ first.
__anonb9f628140202() 133 static const std::vector<std::string> kBootstrapApexes = ([]() {
134   std::vector<std::string> ret = {
135       "com.android.i18n",
136       "com.android.runtime",
137       "com.android.tzdata",
138   };
139 
140   auto vendor_vndk_ver = GetProperty("ro.vndk.version", "");
141   if (vendor_vndk_ver != "") {
142     ret.push_back("com.android.vndk.v" + vendor_vndk_ver);
143   }
144   auto product_vndk_ver = GetProperty("ro.product.vndk.version", "");
145   if (product_vndk_ver != "" && product_vndk_ver != vendor_vndk_ver) {
146     ret.push_back("com.android.vndk.v" + product_vndk_ver);
147   }
148   return ret;
149 })();
150 
151 static constexpr const int kNumRetriesWhenCheckpointingEnabled = 1;
152 
IsBootstrapApex(const ApexFile & apex)153 bool IsBootstrapApex(const ApexFile& apex) {
154   return std::find(kBootstrapApexes.begin(), kBootstrapApexes.end(),
155                    apex.GetManifest().name()) != kBootstrapApexes.end();
156 }
157 
ReleaseF2fsCompressedBlocks(const std::string & file_path)158 void ReleaseF2fsCompressedBlocks(const std::string& file_path) {
159   unique_fd fd(
160       TEMP_FAILURE_RETRY(open(file_path.c_str(), O_RDONLY | O_CLOEXEC, 0)));
161   if (fd.get() == -1) {
162     PLOG(ERROR) << "Failed to open " << file_path;
163     return;
164   }
165   unsigned int flags;
166   if (ioctl(fd, FS_IOC_GETFLAGS, &flags) == -1) {
167     PLOG(ERROR) << "Failed to call FS_IOC_GETFLAGS on " << file_path;
168     return;
169   }
170   if ((flags & FS_COMPR_FL) == 0) {
171     // Doesn't support f2fs-compression.
172     return;
173   }
174   uint64_t blk_cnt;
175   if (ioctl(fd, F2FS_IOC_RELEASE_COMPRESS_BLOCKS, &blk_cnt) == -1) {
176     PLOG(ERROR) << "Failed to call F2FS_IOC_RELEASE_COMPRESS_BLOCKS on "
177                 << file_path;
178   }
179   LOG(INFO) << "Released " << blk_cnt << " compressed blocks from "
180             << file_path;
181 }
182 
183 // Pre-allocate loop devices so that we don't have to wait for them
184 // later when actually activating APEXes.
PreAllocateLoopDevices()185 Result<void> PreAllocateLoopDevices() {
186   auto scan = FindApexes(kApexPackageBuiltinDirs);
187   if (!scan.ok()) {
188     return scan.error();
189   }
190 
191   auto size = 0;
192   for (const auto& path : *scan) {
193     auto apex_file = ApexFile::Open(path);
194     if (!apex_file.ok()) {
195       continue;
196     }
197     size++;
198     // bootstrap Apexes may be activated on separate namespaces.
199     if (IsBootstrapApex(*apex_file)) {
200       size++;
201     }
202   }
203 
204   // note: do not call PreAllocateLoopDevices() if size == 0.
205   // For devices (e.g. ARC) which doesn't support loop-control
206   // PreAllocateLoopDevices() can cause problem when it tries
207   // to access /dev/loop-control.
208   if (size == 0) {
209     return {};
210   }
211   return loop::PreAllocateLoopDevices(size);
212 }
213 
CreateVerityTable(const ApexVerityData & verity_data,const std::string & block_device,const std::string & hash_device,bool restart_on_corruption)214 std::unique_ptr<DmTable> CreateVerityTable(const ApexVerityData& verity_data,
215                                            const std::string& block_device,
216                                            const std::string& hash_device,
217                                            bool restart_on_corruption) {
218   AvbHashtreeDescriptor* desc = verity_data.desc.get();
219   auto table = std::make_unique<DmTable>();
220 
221   uint32_t hash_start_block = 0;
222   if (hash_device == block_device) {
223     hash_start_block = desc->tree_offset / desc->hash_block_size;
224   }
225 
226   auto target = std::make_unique<DmTargetVerity>(
227       0, desc->image_size / 512, desc->dm_verity_version, block_device,
228       hash_device, desc->data_block_size, desc->hash_block_size,
229       desc->image_size / desc->data_block_size, hash_start_block,
230       verity_data.hash_algorithm, verity_data.root_digest, verity_data.salt);
231 
232   target->IgnoreZeroBlocks();
233   if (restart_on_corruption) {
234     target->SetVerityMode(kDmVerityRestartOnCorruption);
235   }
236   table->AddTarget(std::move(target));
237 
238   table->set_readonly(true);
239 
240   return table;
241 }
242 
243 // Deletes a dm-verity device with a given name and path
244 // Synchronizes on the device actually being deleted from userspace.
DeleteVerityDevice(const std::string & name,bool deferred)245 Result<void> DeleteVerityDevice(const std::string& name, bool deferred) {
246   DeviceMapper& dm = DeviceMapper::Instance();
247   if (deferred) {
248     if (!dm.DeleteDeviceDeferred(name)) {
249       return ErrnoError() << "Failed to issue deferred delete of verity device "
250                           << name;
251     }
252     return {};
253   }
254   auto timeout = std::chrono::milliseconds(
255       android::sysprop::ApexProperties::dm_delete_timeout().value_or(750));
256   if (!dm.DeleteDevice(name, timeout)) {
257     return Error() << "Failed to delete dm-device " << name;
258   }
259   return {};
260 }
261 
262 class DmVerityDevice {
263  public:
DmVerityDevice()264   DmVerityDevice() : cleared_(true) {}
DmVerityDevice(std::string name)265   explicit DmVerityDevice(std::string name)
266       : name_(std::move(name)), cleared_(false) {}
DmVerityDevice(std::string name,std::string dev_path)267   DmVerityDevice(std::string name, std::string dev_path)
268       : name_(std::move(name)),
269         dev_path_(std::move(dev_path)),
270         cleared_(false) {}
271 
DmVerityDevice(DmVerityDevice && other)272   DmVerityDevice(DmVerityDevice&& other) noexcept
273       : name_(std::move(other.name_)),
274         dev_path_(std::move(other.dev_path_)),
275         cleared_(other.cleared_) {
276     other.cleared_ = true;
277   }
278 
operator =(DmVerityDevice && other)279   DmVerityDevice& operator=(DmVerityDevice&& other) noexcept {
280     name_ = other.name_;
281     dev_path_ = other.dev_path_;
282     cleared_ = other.cleared_;
283     other.cleared_ = true;
284     return *this;
285   }
286 
~DmVerityDevice()287   ~DmVerityDevice() {
288     if (!cleared_) {
289       Result<void> ret = DeleteVerityDevice(name_, /* deferred= */ false);
290       if (!ret.ok()) {
291         LOG(ERROR) << ret.error();
292       }
293     }
294   }
295 
GetName() const296   const std::string& GetName() const { return name_; }
GetDevPath() const297   const std::string& GetDevPath() const { return dev_path_; }
298 
Release()299   void Release() { cleared_ = true; }
300 
301  private:
302   std::string name_;
303   std::string dev_path_;
304   bool cleared_;
305 };
306 
CreateVerityDevice(const std::string & name,const DmTable & table)307 Result<DmVerityDevice> CreateVerityDevice(const std::string& name,
308                                           const DmTable& table) {
309   DeviceMapper& dm = DeviceMapper::Instance();
310 
311   if (dm.GetState(name) != DmDeviceState::INVALID) {
312     // Delete dangling dm-device. This can happen if apexd fails to delete it
313     // while unmounting an apex.
314     LOG(WARNING) << "Deleting existing dm device " << name;
315     auto result = DeleteVerityDevice(name, /* deferred= */ false);
316     if (!result.ok()) {
317       return result.error();
318     }
319   }
320 
321   auto timeout = std::chrono::milliseconds(
322       android::sysprop::ApexProperties::dm_create_timeout().value_or(1000));
323   std::string dev_path;
324   if (!dm.CreateDevice(name, table, &dev_path, timeout)) {
325     return Errorf("Couldn't create verity device.");
326   }
327   return DmVerityDevice(name, dev_path);
328 }
329 
330 /**
331  * When we create hardlink for a new apex package in kActiveApexPackagesDataDir,
332  * there might be an older version of the same package already present in there.
333  * Since a new version of the same package is being installed on this boot, the
334  * old one needs to deleted so that we don't end up activating same package
335  * twice.
336  *
337  * @param affected_packages package names of the news apex that are being
338  * installed in this boot
339  * @param files_to_keep path to the new apex packages in
340  * kActiveApexPackagesDataDir
341  */
RemovePreviouslyActiveApexFiles(const std::unordered_set<std::string> & affected_packages,const std::unordered_set<std::string> & files_to_keep)342 Result<void> RemovePreviouslyActiveApexFiles(
343     const std::unordered_set<std::string>& affected_packages,
344     const std::unordered_set<std::string>& files_to_keep) {
345   auto all_active_apex_files =
346       FindFilesBySuffix(gConfig->active_apex_data_dir, {kApexPackageSuffix});
347 
348   if (!all_active_apex_files.ok()) {
349     return all_active_apex_files.error();
350   }
351 
352   for (const std::string& path : *all_active_apex_files) {
353     Result<ApexFile> apex_file = ApexFile::Open(path);
354     if (!apex_file.ok()) {
355       return apex_file.error();
356     }
357 
358     const std::string& package_name = apex_file->GetManifest().name();
359     if (affected_packages.find(package_name) == affected_packages.end()) {
360       // This apex belongs to a package that wasn't part of this stage sessions,
361       // hence it should be kept.
362       continue;
363     }
364 
365     if (files_to_keep.find(apex_file->GetPath()) != files_to_keep.end()) {
366       // This is a path that was staged and should be kept.
367       continue;
368     }
369 
370     LOG(DEBUG) << "Deleting previously active apex " << apex_file->GetPath();
371     if (unlink(apex_file->GetPath().c_str()) != 0) {
372       return ErrnoError() << "Failed to unlink " << apex_file->GetPath();
373     }
374   }
375 
376   return {};
377 }
378 
379 // Reads the entire device to verify the image is authenticatic
ReadVerityDevice(const std::string & verity_device,uint64_t device_size)380 Result<void> ReadVerityDevice(const std::string& verity_device,
381                               uint64_t device_size) {
382   static constexpr int kBlockSize = 4096;
383   static constexpr size_t kBufSize = 1024 * kBlockSize;
384   std::vector<uint8_t> buffer(kBufSize);
385 
386   unique_fd fd(
387       TEMP_FAILURE_RETRY(open(verity_device.c_str(), O_RDONLY | O_CLOEXEC)));
388   if (fd.get() == -1) {
389     return ErrnoError() << "Can't open " << verity_device;
390   }
391 
392   size_t bytes_left = device_size;
393   while (bytes_left > 0) {
394     size_t to_read = std::min(bytes_left, kBufSize);
395     if (!android::base::ReadFully(fd.get(), buffer.data(), to_read)) {
396       return ErrnoError() << "Can't verify " << verity_device << "; corrupted?";
397     }
398     bytes_left -= to_read;
399   }
400 
401   return {};
402 }
403 
VerifyMountedImage(const ApexFile & apex,const std::string & mount_point)404 Result<void> VerifyMountedImage(const ApexFile& apex,
405                                 const std::string& mount_point) {
406   // Verify that apex_manifest.pb inside mounted image matches the one in the
407   // outer .apex container.
408   Result<ApexManifest> verified_manifest =
409       ReadManifest(mount_point + "/" + kManifestFilenamePb);
410   if (!verified_manifest.ok()) {
411     return verified_manifest.error();
412   }
413   if (!MessageDifferencer::Equals(*verified_manifest, apex.GetManifest())) {
414     return Errorf(
415         "Manifest inside filesystem does not match manifest outside it");
416   }
417   if (shim::IsShimApex(apex)) {
418     return shim::ValidateShimApex(mount_point, apex);
419   }
420   return {};
421 }
422 
MountPackageImpl(const ApexFile & apex,const std::string & mount_point,const std::string & device_name,const std::string & hashtree_file,bool verify_image,bool temp_mount=false)423 Result<MountedApexData> MountPackageImpl(const ApexFile& apex,
424                                          const std::string& mount_point,
425                                          const std::string& device_name,
426                                          const std::string& hashtree_file,
427                                          bool verify_image,
428                                          bool temp_mount = false) {
429   if (apex.IsCompressed()) {
430     return Error() << "Cannot directly mount compressed APEX "
431                    << apex.GetPath();
432   }
433 
434   LOG(VERBOSE) << "Creating mount point: " << mount_point;
435   auto time_started = boot_clock::now();
436   // Note: the mount point could exist in case when the APEX was activated
437   // during the bootstrap phase (e.g., the runtime or tzdata APEX).
438   // Although we have separate mount namespaces to separate the early activated
439   // APEXes from the normally activate APEXes, the mount points themselves
440   // are shared across the two mount namespaces because /apex (a tmpfs) itself
441   // mounted at / which is (and has to be) a shared mount. Therefore, if apexd
442   // finds an empty directory under /apex, it's not a problem and apexd can use
443   // it.
444   auto exists = PathExists(mount_point);
445   if (!exists.ok()) {
446     return exists.error();
447   }
448   if (!*exists && mkdir(mount_point.c_str(), kMkdirMode) != 0) {
449     return ErrnoError() << "Could not create mount point " << mount_point;
450   }
451   auto deleter = [&mount_point]() {
452     if (rmdir(mount_point.c_str()) != 0) {
453       PLOG(WARNING) << "Could not rmdir " << mount_point;
454     }
455   };
456   auto scope_guard = android::base::make_scope_guard(deleter);
457   if (!IsEmptyDirectory(mount_point)) {
458     return ErrnoError() << mount_point << " is not empty";
459   }
460 
461   const std::string& full_path = apex.GetPath();
462 
463   if (!apex.GetImageOffset() || !apex.GetImageSize()) {
464     return Error() << "Cannot create mount point without image offset and size";
465   }
466   loop::LoopbackDeviceUniqueFd loopback_device;
467   for (size_t attempts = 1;; ++attempts) {
468     Result<loop::LoopbackDeviceUniqueFd> ret = loop::CreateLoopDevice(
469         full_path, apex.GetImageOffset().value(), apex.GetImageSize().value());
470     if (ret.ok()) {
471       loopback_device = std::move(*ret);
472       break;
473     }
474     if (attempts >= kLoopDeviceSetupAttempts) {
475       return Error() << "Could not create loop device for " << full_path << ": "
476                      << ret.error();
477     }
478   }
479   LOG(VERBOSE) << "Loopback device created: " << loopback_device.name;
480 
481   auto& instance = ApexFileRepository::GetInstance();
482 
483   auto public_key = instance.GetPublicKey(apex.GetManifest().name());
484   if (!public_key.ok()) {
485     return public_key.error();
486   }
487 
488   auto verity_data = apex.VerifyApexVerity(*public_key);
489   if (!verity_data.ok()) {
490     return Error() << "Failed to verify Apex Verity data for " << full_path
491                    << ": " << verity_data.error();
492   }
493   std::string block_device = loopback_device.name;
494   MountedApexData apex_data(loopback_device.name, apex.GetPath(), mount_point,
495                             /* device_name = */ "",
496                             /* hashtree_loop_name = */ "",
497                             /* is_temp_mount */ temp_mount);
498 
499   // for APEXes in immutable partitions, we don't need to mount them on
500   // dm-verity because they are already in the dm-verity protected partition;
501   // system. However, note that we don't skip verification to ensure that APEXes
502   // are correctly signed.
503   const bool mount_on_verity =
504       !instance.IsPreInstalledApex(apex) || instance.IsDecompressedApex(apex);
505 
506   DmVerityDevice verity_dev;
507   loop::LoopbackDeviceUniqueFd loop_for_hash;
508   if (mount_on_verity) {
509     std::string hash_device = loopback_device.name;
510     if (verity_data->desc->tree_size == 0) {
511       if (auto st = PrepareHashTree(apex, *verity_data, hashtree_file);
512           !st.ok()) {
513         return st.error();
514       }
515       auto create_loop_status = loop::CreateLoopDevice(hashtree_file, 0, 0);
516       if (!create_loop_status.ok()) {
517         return create_loop_status.error();
518       }
519       loop_for_hash = std::move(*create_loop_status);
520       hash_device = loop_for_hash.name;
521       apex_data.hashtree_loop_name = hash_device;
522     }
523     auto verity_table =
524         CreateVerityTable(*verity_data, loopback_device.name, hash_device,
525                           /* restart_on_corruption = */ !verify_image);
526     Result<DmVerityDevice> verity_dev_res =
527         CreateVerityDevice(device_name, *verity_table);
528     if (!verity_dev_res.ok()) {
529       return Error() << "Failed to create Apex Verity device " << full_path
530                      << ": " << verity_dev_res.error();
531     }
532     verity_dev = std::move(*verity_dev_res);
533     apex_data.device_name = device_name;
534     block_device = verity_dev.GetDevPath();
535 
536     Result<void> read_ahead_status =
537         loop::ConfigureReadAhead(verity_dev.GetDevPath());
538     if (!read_ahead_status.ok()) {
539       return read_ahead_status.error();
540     }
541   }
542   // TODO(b/158467418): consider moving this inside RunVerifyFnInsideTempMount.
543   if (mount_on_verity && verify_image) {
544     Result<void> verity_status =
545         ReadVerityDevice(block_device, (*verity_data).desc->image_size);
546     if (!verity_status.ok()) {
547       return verity_status.error();
548     }
549   }
550 
551   uint32_t mount_flags = MS_NOATIME | MS_NODEV | MS_DIRSYNC | MS_RDONLY;
552   if (apex.GetManifest().nocode()) {
553     mount_flags |= MS_NOEXEC;
554   }
555 
556   if (!apex.GetFsType()) {
557     return Error() << "Cannot mount package without FsType";
558   }
559   if (mount(block_device.c_str(), mount_point.c_str(),
560             apex.GetFsType().value().c_str(), mount_flags, nullptr) == 0) {
561     auto time_elapsed = std::chrono::duration_cast<std::chrono::milliseconds>(
562         boot_clock::now() - time_started).count();
563     LOG(INFO) << "Successfully mounted package " << full_path << " on "
564               << mount_point << " duration=" << time_elapsed;
565     auto status = VerifyMountedImage(apex, mount_point);
566     if (!status.ok()) {
567       if (umount2(mount_point.c_str(), UMOUNT_NOFOLLOW) != 0) {
568         PLOG(ERROR) << "Failed to umount " << mount_point;
569       }
570       return Error() << "Failed to verify " << full_path << ": "
571                      << status.error();
572     }
573     // Time to accept the temporaries as good.
574     verity_dev.Release();
575     loopback_device.CloseGood();
576     loop_for_hash.CloseGood();
577 
578     scope_guard.Disable();  // Accept the mount.
579     return apex_data;
580   } else {
581     return ErrnoError() << "Mounting failed for package " << full_path;
582   }
583 }
584 
GetHashTreeFileName(const ApexFile & apex,bool is_new)585 std::string GetHashTreeFileName(const ApexFile& apex, bool is_new) {
586   const std::string& id = GetPackageId(apex.GetManifest());
587   std::string ret =
588       StringPrintf("%s/%s", gConfig->apex_hash_tree_dir, id.c_str());
589   return is_new ? ret + ".new" : ret;
590 }
591 
VerifyAndTempMountPackage(const ApexFile & apex,const std::string & mount_point)592 Result<MountedApexData> VerifyAndTempMountPackage(
593     const ApexFile& apex, const std::string& mount_point) {
594   const std::string& package_id = GetPackageId(apex.GetManifest());
595   LOG(DEBUG) << "Temp mounting " << package_id << " to " << mount_point;
596   const std::string& temp_device_name = package_id + ".tmp";
597   std::string hashtree_file = GetHashTreeFileName(apex, /* is_new = */ true);
598   if (access(hashtree_file.c_str(), F_OK) == 0) {
599     LOG(DEBUG) << hashtree_file << " already exists. Deleting it";
600     if (TEMP_FAILURE_RETRY(unlink(hashtree_file.c_str())) != 0) {
601       return ErrnoError() << "Failed to unlink " << hashtree_file;
602     }
603   }
604   auto ret =
605       MountPackageImpl(apex, mount_point, temp_device_name, hashtree_file,
606                        /* verify_image = */ true, /* temp_mount = */ true);
607   if (!ret.ok()) {
608     LOG(DEBUG) << "Cleaning up " << hashtree_file;
609     if (TEMP_FAILURE_RETRY(unlink(hashtree_file.c_str())) != 0) {
610       PLOG(ERROR) << "Failed to unlink " << hashtree_file;
611     }
612   } else {
613     gMountedApexes.AddMountedApex(apex.GetManifest().name(), false, *ret);
614   }
615   return ret;
616 }
617 
618 }  // namespace
619 
Unmount(const MountedApexData & data,bool deferred)620 Result<void> Unmount(const MountedApexData& data, bool deferred) {
621   LOG(DEBUG) << "Unmounting " << data.full_path << " from mount point "
622              << data.mount_point << " deferred = " << deferred;
623   // Lazily try to umount whatever is mounted.
624   if (umount2(data.mount_point.c_str(), UMOUNT_NOFOLLOW) != 0 &&
625       errno != EINVAL && errno != ENOENT) {
626     return ErrnoError() << "Failed to unmount directory " << data.mount_point;
627   }
628 
629   if (!deferred) {
630     if (rmdir(data.mount_point.c_str()) != 0) {
631       PLOG(ERROR) << "Failed to rmdir " << data.mount_point;
632     }
633   }
634 
635   // Try to free up the device-mapper device.
636   if (!data.device_name.empty()) {
637     const auto& result = DeleteVerityDevice(data.device_name, deferred);
638     if (!result.ok()) {
639       return result;
640     }
641   }
642 
643   // Try to free up the loop device.
644   auto log_fn = [](const std::string& path, const std::string& /*id*/) {
645     LOG(VERBOSE) << "Freeing loop device " << path << " for unmount.";
646   };
647 
648   // Since we now use LO_FLAGS_AUTOCLEAR when configuring loop devices, in
649   // theory we don't need to manually call DestroyLoopDevice here even if
650   // |deferred| is false. However we prefer to call it to ensure the invariant
651   // of SubmitStagedSession (after it's done, loop devices created for temp
652   // mount are freed).
653   if (!data.loop_name.empty() && !deferred) {
654     loop::DestroyLoopDevice(data.loop_name, log_fn);
655   }
656   if (!data.hashtree_loop_name.empty() && !deferred) {
657     loop::DestroyLoopDevice(data.hashtree_loop_name, log_fn);
658   }
659 
660   return {};
661 }
662 
663 namespace {
664 
665 template <typename VerifyFn>
RunVerifyFnInsideTempMount(const ApexFile & apex,const VerifyFn & verify_fn,bool unmount_during_cleanup)666 Result<void> RunVerifyFnInsideTempMount(const ApexFile& apex,
667                                         const VerifyFn& verify_fn,
668                                         bool unmount_during_cleanup) {
669   // Temp mount image of this apex to validate it was properly signed;
670   // this will also read the entire block device through dm-verity, so
671   // we can be sure there is no corruption.
672   const std::string& temp_mount_point =
673       apexd_private::GetPackageTempMountPoint(apex.GetManifest());
674 
675   Result<MountedApexData> mount_status =
676       VerifyAndTempMountPackage(apex, temp_mount_point);
677   if (!mount_status.ok()) {
678     LOG(ERROR) << "Failed to temp mount to " << temp_mount_point << " : "
679                << mount_status.error();
680     return mount_status.error();
681   }
682   auto cleaner = [&]() {
683     LOG(DEBUG) << "Unmounting " << temp_mount_point;
684     Result<void> result = Unmount(*mount_status, /* deferred= */ false);
685     if (!result.ok()) {
686       LOG(WARNING) << "Failed to unmount " << temp_mount_point << " : "
687                    << result.error();
688     }
689     gMountedApexes.RemoveMountedApex(apex.GetManifest().name(), apex.GetPath(),
690                                      true);
691   };
692   auto scope_guard = android::base::make_scope_guard(cleaner);
693   auto result = verify_fn(temp_mount_point);
694   if (!result.ok()) {
695     return result.error();
696   }
697   if (!unmount_during_cleanup) {
698     scope_guard.Disable();
699   }
700   return {};
701 }
702 
703 template <typename HookFn, typename HookCall>
PrePostinstallPackages(const std::vector<ApexFile> & apexes,HookFn fn,HookCall call)704 Result<void> PrePostinstallPackages(const std::vector<ApexFile>& apexes,
705                                     HookFn fn, HookCall call) {
706   auto scope_guard = android::base::make_scope_guard([&]() {
707     for (const ApexFile& apex_file : apexes) {
708       apexd_private::UnmountTempMount(apex_file);
709     }
710   });
711   if (apexes.empty()) {
712     return Errorf("Empty set of inputs");
713   }
714 
715   // 1) Check whether the APEXes have hooks.
716   bool has_hooks = false;
717   for (const ApexFile& apex_file : apexes) {
718     if (!(apex_file.GetManifest().*fn)().empty()) {
719       has_hooks = true;
720       break;
721     }
722   }
723 
724   // 2) If we found hooks, temp mount if required, and run the pre/post-install.
725   if (has_hooks) {
726     std::vector<std::string> mount_points;
727     for (const ApexFile& apex : apexes) {
728       // Retrieve the mount data if the apex is already temp mounted, temp
729       // mount it otherwise.
730       std::string mount_point =
731           apexd_private::GetPackageTempMountPoint(apex.GetManifest());
732       Result<MountedApexData> mount_data =
733           apexd_private::GetTempMountedApexData(apex.GetManifest().name());
734       if (!mount_data.ok()) {
735         mount_data = VerifyAndTempMountPackage(apex, mount_point);
736         if (!mount_data.ok()) {
737           return mount_data.error();
738         }
739       }
740       mount_points.push_back(mount_point);
741     }
742 
743     Result<void> install_status = (*call)(apexes, mount_points);
744     if (!install_status.ok()) {
745       return install_status;
746     }
747   }
748 
749   return {};
750 }
751 
PreinstallPackages(const std::vector<ApexFile> & apexes)752 Result<void> PreinstallPackages(const std::vector<ApexFile>& apexes) {
753   return PrePostinstallPackages(apexes, &ApexManifest::preinstallhook,
754                                 &StagePreInstall);
755 }
756 
PostinstallPackages(const std::vector<ApexFile> & apexes)757 Result<void> PostinstallPackages(const std::vector<ApexFile>& apexes) {
758   return PrePostinstallPackages(apexes, &ApexManifest::postinstallhook,
759                                 &StagePostInstall);
760 }
761 
762 // Converts a list of apex file paths into a list of ApexFile objects
763 //
764 // Returns error when trying to open empty set of inputs.
OpenApexFiles(const std::vector<std::string> & paths)765 Result<std::vector<ApexFile>> OpenApexFiles(
766     const std::vector<std::string>& paths) {
767   if (paths.empty()) {
768     return Errorf("Empty set of inputs");
769   }
770   std::vector<ApexFile> ret;
771   for (const std::string& path : paths) {
772     Result<ApexFile> apex_file = ApexFile::Open(path);
773     if (!apex_file.ok()) {
774       return apex_file.error();
775     }
776     ret.emplace_back(std::move(*apex_file));
777   }
778   return ret;
779 }
780 
ValidateStagingShimApex(const ApexFile & to)781 Result<void> ValidateStagingShimApex(const ApexFile& to) {
782   using android::base::StringPrintf;
783   auto system_shim = ApexFile::Open(
784       StringPrintf("%s/%s", kApexPackageSystemDir, shim::kSystemShimApexName));
785   if (!system_shim.ok()) {
786     return system_shim.error();
787   }
788   auto verify_fn = [&](const std::string& system_apex_path) {
789     return shim::ValidateUpdate(system_apex_path, to.GetPath());
790   };
791   return RunVerifyFnInsideTempMount(*system_shim, verify_fn, true);
792 }
793 
794 // A version of apex verification that happens during boot.
795 // This function should only verification checks that are necessary to run on
796 // each boot. Try to avoid putting expensive checks inside this function.
VerifyPackageBoot(const ApexFile & apex_file)797 Result<void> VerifyPackageBoot(const ApexFile& apex_file) {
798   // TODO(ioffe): why do we need this here?
799   auto& instance = ApexFileRepository::GetInstance();
800   auto public_key = instance.GetPublicKey(apex_file.GetManifest().name());
801   if (!public_key.ok()) {
802     return public_key.error();
803   }
804   Result<ApexVerityData> verity_or = apex_file.VerifyApexVerity(*public_key);
805   if (!verity_or.ok()) {
806     return verity_or.error();
807   }
808 
809   if (shim::IsShimApex(apex_file)) {
810     // Validating shim is not a very cheap operation, but it's fine to perform
811     // it here since it only runs during CTS tests and will never be triggered
812     // during normal flow.
813     const auto& result = ValidateStagingShimApex(apex_file);
814     if (!result.ok()) {
815       return result;
816     }
817   }
818   return {};
819 }
820 
821 // A version of apex verification that happens on SubmitStagedSession.
822 // This function contains checks that might be expensive to perform, e.g. temp
823 // mounting a package and reading entire dm-verity device, and shouldn't be run
824 // during boot.
VerifyPackageStagedInstall(const ApexFile & apex_file)825 Result<void> VerifyPackageStagedInstall(const ApexFile& apex_file) {
826   const auto& verify_package_boot_status = VerifyPackageBoot(apex_file);
827   if (!verify_package_boot_status.ok()) {
828     return verify_package_boot_status;
829   }
830 
831   constexpr const auto kSuccessFn = [](const std::string& /*mount_point*/) {
832     return Result<void>{};
833   };
834   return RunVerifyFnInsideTempMount(apex_file, kSuccessFn, false);
835 }
836 
837 template <typename VerifyApexFn>
VerifyPackages(const std::vector<std::string> & paths,const VerifyApexFn & verify_apex_fn)838 Result<std::vector<ApexFile>> VerifyPackages(
839     const std::vector<std::string>& paths, const VerifyApexFn& verify_apex_fn) {
840   Result<std::vector<ApexFile>> apex_files = OpenApexFiles(paths);
841   if (!apex_files.ok()) {
842     return apex_files.error();
843   }
844 
845   LOG(DEBUG) << "VerifyPackages() for " << Join(paths, ',');
846 
847   for (const ApexFile& apex_file : *apex_files) {
848     Result<void> result = verify_apex_fn(apex_file);
849     if (!result.ok()) {
850       return result.error();
851     }
852   }
853   return std::move(*apex_files);
854 }
855 
VerifySessionDir(const int session_id)856 Result<ApexFile> VerifySessionDir(const int session_id) {
857   std::string session_dir_path = std::string(kStagedSessionsDir) + "/session_" +
858                                  std::to_string(session_id);
859   LOG(INFO) << "Scanning " << session_dir_path
860             << " looking for packages to be validated";
861   Result<std::vector<std::string>> scan =
862       FindFilesBySuffix(session_dir_path, {kApexPackageSuffix});
863   if (!scan.ok()) {
864     LOG(WARNING) << scan.error();
865     return scan.error();
866   }
867 
868   if (scan->size() > 1) {
869     return Errorf(
870         "More than one APEX package found in the same session directory.");
871   }
872 
873   auto verified = VerifyPackages(*scan, VerifyPackageStagedInstall);
874   if (!verified.ok()) {
875     return verified.error();
876   }
877   return std::move((*verified)[0]);
878 }
879 
DeleteBackup()880 Result<void> DeleteBackup() {
881   auto exists = PathExists(std::string(kApexBackupDir));
882   if (!exists.ok()) {
883     return Error() << "Can't clean " << kApexBackupDir << " : "
884                    << exists.error();
885   }
886   if (!*exists) {
887     LOG(DEBUG) << kApexBackupDir << " does not exist. Nothing to clean";
888     return {};
889   }
890   return DeleteDirContent(std::string(kApexBackupDir));
891 }
892 
BackupActivePackages()893 Result<void> BackupActivePackages() {
894   LOG(DEBUG) << "Initializing  backup of " << gConfig->active_apex_data_dir;
895 
896   // Previous restore might've delete backups folder.
897   auto create_status = CreateDirIfNeeded(kApexBackupDir, 0700);
898   if (!create_status.ok()) {
899     return Error() << "Backup failed : " << create_status.error();
900   }
901 
902   auto apex_active_exists =
903       PathExists(std::string(gConfig->active_apex_data_dir));
904   if (!apex_active_exists.ok()) {
905     return Error() << "Backup failed : " << apex_active_exists.error();
906   }
907   if (!*apex_active_exists) {
908     LOG(DEBUG) << gConfig->active_apex_data_dir
909                << " does not exist. Nothing to backup";
910     return {};
911   }
912 
913   auto active_packages =
914       FindFilesBySuffix(gConfig->active_apex_data_dir, {kApexPackageSuffix});
915   if (!active_packages.ok()) {
916     return Error() << "Backup failed : " << active_packages.error();
917   }
918 
919   auto cleanup_status = DeleteBackup();
920   if (!cleanup_status.ok()) {
921     return Error() << "Backup failed : " << cleanup_status.error();
922   }
923 
924   auto backup_path_fn = [](const ApexFile& apex_file) {
925     return StringPrintf("%s/%s%s", kApexBackupDir,
926                         GetPackageId(apex_file.GetManifest()).c_str(),
927                         kApexPackageSuffix);
928   };
929 
930   auto deleter = []() {
931     auto result = DeleteDirContent(std::string(kApexBackupDir));
932     if (!result.ok()) {
933       LOG(ERROR) << "Failed to cleanup " << kApexBackupDir << " : "
934                  << result.error();
935     }
936   };
937   auto scope_guard = android::base::make_scope_guard(deleter);
938 
939   for (const std::string& path : *active_packages) {
940     Result<ApexFile> apex_file = ApexFile::Open(path);
941     if (!apex_file.ok()) {
942       return Error() << "Backup failed : " << apex_file.error();
943     }
944     const auto& dest_path = backup_path_fn(*apex_file);
945     if (link(apex_file->GetPath().c_str(), dest_path.c_str()) != 0) {
946       return ErrnoError() << "Failed to backup " << apex_file->GetPath();
947     }
948   }
949 
950   scope_guard.Disable();  // Accept the backup.
951   return {};
952 }
953 
RestoreActivePackages()954 Result<void> RestoreActivePackages() {
955   LOG(DEBUG) << "Initializing  restore of " << gConfig->active_apex_data_dir;
956 
957   auto backup_exists = PathExists(std::string(kApexBackupDir));
958   if (!backup_exists.ok()) {
959     return backup_exists.error();
960   }
961   if (!*backup_exists) {
962     return Error() << kApexBackupDir << " does not exist";
963   }
964 
965   struct stat stat_data;
966   if (stat(gConfig->active_apex_data_dir, &stat_data) != 0) {
967     return ErrnoError() << "Failed to access " << gConfig->active_apex_data_dir;
968   }
969 
970   LOG(DEBUG) << "Deleting existing packages in "
971              << gConfig->active_apex_data_dir;
972   auto delete_status =
973       DeleteDirContent(std::string(gConfig->active_apex_data_dir));
974   if (!delete_status.ok()) {
975     return delete_status;
976   }
977 
978   LOG(DEBUG) << "Renaming " << kApexBackupDir << " to "
979              << gConfig->active_apex_data_dir;
980   if (rename(kApexBackupDir, gConfig->active_apex_data_dir) != 0) {
981     return ErrnoError() << "Failed to rename " << kApexBackupDir << " to "
982                         << gConfig->active_apex_data_dir;
983   }
984 
985   LOG(DEBUG) << "Restoring original permissions for "
986              << gConfig->active_apex_data_dir;
987   if (chmod(gConfig->active_apex_data_dir, stat_data.st_mode & ALLPERMS) != 0) {
988     return ErrnoError() << "Failed to restore original permissions for "
989                         << gConfig->active_apex_data_dir;
990   }
991 
992   return {};
993 }
994 
UnmountPackage(const ApexFile & apex,bool allow_latest,bool deferred)995 Result<void> UnmountPackage(const ApexFile& apex, bool allow_latest,
996                             bool deferred) {
997   LOG(INFO) << "Unmounting " << GetPackageId(apex.GetManifest());
998 
999   const ApexManifest& manifest = apex.GetManifest();
1000 
1001   std::optional<MountedApexData> data;
1002   bool latest = false;
1003 
1004   auto fn = [&](const MountedApexData& d, bool l) {
1005     if (d.full_path == apex.GetPath()) {
1006       data.emplace(d);
1007       latest = l;
1008     }
1009   };
1010   gMountedApexes.ForallMountedApexes(manifest.name(), fn);
1011 
1012   if (!data) {
1013     return Error() << "Did not find " << apex.GetPath();
1014   }
1015 
1016   // Concept of latest sharedlibs apex is somewhat blurred. Since this is only
1017   // used in testing, it is ok to always allow unmounting sharedlibs apex.
1018   if (latest && !manifest.providesharedapexlibs()) {
1019     if (!allow_latest) {
1020       return Error() << "Package " << apex.GetPath() << " is active";
1021     }
1022     std::string mount_point = apexd_private::GetActiveMountPoint(manifest);
1023     LOG(INFO) << "Unmounting " << mount_point;
1024     if (umount2(mount_point.c_str(), UMOUNT_NOFOLLOW) != 0) {
1025       return ErrnoError() << "Failed to unmount " << mount_point;
1026     }
1027 
1028     if (!deferred) {
1029       if (rmdir(mount_point.c_str()) != 0) {
1030         PLOG(ERROR) << "Failed to rmdir " << mount_point;
1031       }
1032     }
1033   }
1034 
1035   // Clean up gMountedApexes now, even though we're not fully done.
1036   gMountedApexes.RemoveMountedApex(manifest.name(), apex.GetPath());
1037   return Unmount(*data, deferred);
1038 }
1039 
1040 }  // namespace
1041 
SetConfig(const ApexdConfig & config)1042 void SetConfig(const ApexdConfig& config) { gConfig = config; }
1043 
MountPackage(const ApexFile & apex,const std::string & mount_point,const std::string & device_name)1044 Result<void> MountPackage(const ApexFile& apex, const std::string& mount_point,
1045                           const std::string& device_name) {
1046   auto ret = MountPackageImpl(apex, mount_point, device_name,
1047                               GetHashTreeFileName(apex, /* is_new= */ false),
1048                               /* verify_image = */ false);
1049   if (!ret.ok()) {
1050     return ret.error();
1051   }
1052 
1053   gMountedApexes.AddMountedApex(apex.GetManifest().name(), false, *ret);
1054   return {};
1055 }
1056 
1057 namespace apexd_private {
1058 
UnmountTempMount(const ApexFile & apex)1059 Result<void> UnmountTempMount(const ApexFile& apex) {
1060   const ApexManifest& manifest = apex.GetManifest();
1061   LOG(VERBOSE) << "Unmounting all temp mounts for package " << manifest.name();
1062 
1063   bool finished_unmounting = false;
1064   // If multiple temp mounts exist, ensure that all are unmounted.
1065   while (!finished_unmounting) {
1066     Result<MountedApexData> data =
1067         apexd_private::GetTempMountedApexData(manifest.name());
1068     if (!data.ok()) {
1069       finished_unmounting = true;
1070     } else {
1071       gMountedApexes.RemoveMountedApex(manifest.name(), data->full_path, true);
1072       Unmount(*data, /* deferred= */ false);
1073     }
1074   }
1075   return {};
1076 }
1077 
GetTempMountedApexData(const std::string & package)1078 Result<MountedApexData> GetTempMountedApexData(const std::string& package) {
1079   bool found = false;
1080   Result<MountedApexData> mount_data;
1081   gMountedApexes.ForallMountedApexes(
1082       package,
1083       [&](const MountedApexData& data, [[maybe_unused]] bool latest) {
1084         if (!found) {
1085           mount_data = data;
1086           found = true;
1087         }
1088       },
1089       true);
1090   if (found) {
1091     return mount_data;
1092   }
1093   return Error() << "No temp mount data found for " << package;
1094 }
1095 
IsMounted(const std::string & full_path)1096 bool IsMounted(const std::string& full_path) {
1097   bool found_mounted = false;
1098   gMountedApexes.ForallMountedApexes([&](const std::string&,
1099                                          const MountedApexData& data,
1100                                          [[maybe_unused]] bool latest) {
1101     if (full_path == data.full_path) {
1102       found_mounted = true;
1103     }
1104   });
1105   return found_mounted;
1106 }
1107 
GetPackageMountPoint(const ApexManifest & manifest)1108 std::string GetPackageMountPoint(const ApexManifest& manifest) {
1109   return StringPrintf("%s/%s", kApexRoot, GetPackageId(manifest).c_str());
1110 }
1111 
GetPackageTempMountPoint(const ApexManifest & manifest)1112 std::string GetPackageTempMountPoint(const ApexManifest& manifest) {
1113   return StringPrintf("%s.tmp", GetPackageMountPoint(manifest).c_str());
1114 }
1115 
GetActiveMountPoint(const ApexManifest & manifest)1116 std::string GetActiveMountPoint(const ApexManifest& manifest) {
1117   return StringPrintf("%s/%s", kApexRoot, manifest.name().c_str());
1118 }
1119 
1120 }  // namespace apexd_private
1121 
ResumeRevertIfNeeded()1122 Result<void> ResumeRevertIfNeeded() {
1123   auto sessions =
1124       ApexSession::GetSessionsInState(SessionState::REVERT_IN_PROGRESS);
1125   if (sessions.empty()) {
1126     return {};
1127   }
1128   return RevertActiveSessions("", "");
1129 }
1130 
ActivateSharedLibsPackage(const std::string & mount_point)1131 Result<void> ActivateSharedLibsPackage(const std::string& mount_point) {
1132   for (const auto& lib_path : {"lib", "lib64"}) {
1133     std::string apex_lib_path = mount_point + "/" + lib_path;
1134     auto lib_dir = PathExists(apex_lib_path);
1135     if (!lib_dir.ok() || !*lib_dir) {
1136       continue;
1137     }
1138 
1139     auto iter = std::filesystem::directory_iterator(apex_lib_path);
1140     std::error_code ec;
1141 
1142     while (iter != std::filesystem::end(iter)) {
1143       const auto& lib_entry = *iter;
1144       if (!lib_entry.is_directory()) {
1145         iter = iter.increment(ec);
1146         if (ec) {
1147           return Error() << "Failed to scan " << apex_lib_path << " : "
1148                          << ec.message();
1149         }
1150         continue;
1151       }
1152 
1153       const auto library_name = lib_entry.path().filename();
1154       const std::string library_symlink_dir =
1155           StringPrintf("%s/%s/%s/%s", kApexRoot, kApexSharedLibsSubDir,
1156                        lib_path, library_name.c_str());
1157 
1158       auto symlink_dir = PathExists(library_symlink_dir);
1159       if (!symlink_dir.ok() || !*symlink_dir) {
1160         std::filesystem::create_directory(library_symlink_dir, ec);
1161         if (ec) {
1162           return Error() << "Failed to create directory " << library_symlink_dir
1163                          << ": " << ec.message();
1164         }
1165       }
1166 
1167       auto inner_iter =
1168           std::filesystem::directory_iterator(lib_entry.path().string());
1169 
1170       while (inner_iter != std::filesystem::end(inner_iter)) {
1171         const auto& lib_items = *inner_iter;
1172         const auto hash_value = lib_items.path().filename();
1173         const std::string library_symlink_hash = StringPrintf(
1174             "%s/%s", library_symlink_dir.c_str(), hash_value.c_str());
1175 
1176         auto hash_dir = PathExists(library_symlink_hash);
1177         if (hash_dir.ok() && *hash_dir) {
1178           // Compare file size for two library files with same name and hash
1179           // value
1180           auto existing_file_path =
1181               library_symlink_hash + "/" + library_name.string();
1182           auto existing_file_size = GetFileSize(existing_file_path);
1183           if (!existing_file_size.ok()) {
1184             return existing_file_size.error();
1185           }
1186 
1187           auto new_file_path =
1188               lib_items.path().string() + "/" + library_name.string();
1189           auto new_file_size = GetFileSize(new_file_path);
1190           if (!new_file_size.ok()) {
1191             return new_file_size.error();
1192           }
1193 
1194           if (*existing_file_size != *new_file_size) {
1195             return Error() << "There are two libraries with same hash and "
1196                               "different file size : "
1197                            << existing_file_path << " and " << new_file_path;
1198           }
1199 
1200           inner_iter = inner_iter.increment(ec);
1201           if (ec) {
1202             return Error() << "Failed to scan " << lib_entry.path().string()
1203                            << " : " << ec.message();
1204           }
1205           continue;
1206         }
1207         std::filesystem::create_directory_symlink(lib_items.path(),
1208                                                   library_symlink_hash, ec);
1209         if (ec) {
1210           return Error() << "Failed to create symlink from " << lib_items.path()
1211                          << " to " << library_symlink_hash << ec.message();
1212         }
1213 
1214         inner_iter = inner_iter.increment(ec);
1215         if (ec) {
1216           return Error() << "Failed to scan " << lib_entry.path().string()
1217                          << " : " << ec.message();
1218         }
1219       }
1220 
1221       iter = iter.increment(ec);
1222       if (ec) {
1223         return Error() << "Failed to scan " << apex_lib_path << " : "
1224                        << ec.message();
1225       }
1226     }
1227   }
1228 
1229   return {};
1230 }
1231 
IsValidPackageName(const std::string & package_name)1232 bool IsValidPackageName(const std::string& package_name) {
1233   return kBannedApexName.count(package_name) == 0;
1234 }
1235 
ActivatePackageImpl(const ApexFile & apex_file,const std::string & device_name)1236 Result<void> ActivatePackageImpl(const ApexFile& apex_file,
1237                                  const std::string& device_name) {
1238   const ApexManifest& manifest = apex_file.GetManifest();
1239 
1240   if (!IsValidPackageName(manifest.name())) {
1241     return Errorf("Package name {} is not allowed.", manifest.name());
1242   }
1243 
1244   // Validate upgraded shim apex
1245   if (shim::IsShimApex(apex_file) &&
1246       !ApexFileRepository::GetInstance().IsPreInstalledApex(apex_file)) {
1247     // This is not cheap for shim apex, but it is fine here since we have
1248     // upgraded shim apex only during CTS tests.
1249     Result<void> result = VerifyPackageBoot(apex_file);
1250     if (!result.ok()) {
1251       LOG(ERROR) << "Failed to validate shim apex: " << apex_file.GetPath();
1252       return result;
1253     }
1254   }
1255 
1256   // See whether we think it's active, and do not allow to activate the same
1257   // version. Also detect whether this is the highest version.
1258   // We roll this into a single check.
1259   bool is_newest_version = true;
1260   bool version_found_mounted = false;
1261   {
1262     uint64_t new_version = manifest.version();
1263     bool version_found_active = false;
1264     gMountedApexes.ForallMountedApexes(
1265         manifest.name(), [&](const MountedApexData& data, bool latest) {
1266           Result<ApexFile> other_apex = ApexFile::Open(data.full_path);
1267           if (!other_apex.ok()) {
1268             return;
1269           }
1270           if (static_cast<uint64_t>(other_apex->GetManifest().version()) ==
1271               new_version) {
1272             version_found_mounted = true;
1273             version_found_active = latest;
1274           }
1275           if (static_cast<uint64_t>(other_apex->GetManifest().version()) >
1276               new_version) {
1277             is_newest_version = false;
1278           }
1279         });
1280     // If the package provides shared libraries to other APEXs, we need to
1281     // activate all versions available (i.e. preloaded on /system/apex and
1282     // available on /data/apex/active). The reason is that there might be some
1283     // APEXs loaded from /system/apex that reference the libraries contained on
1284     // the preloaded version of the apex providing shared libraries.
1285     if (version_found_active && !manifest.providesharedapexlibs()) {
1286       LOG(DEBUG) << "Package " << manifest.name() << " with version "
1287                  << manifest.version() << " already active";
1288       return {};
1289     }
1290   }
1291 
1292   const std::string& mount_point =
1293       apexd_private::GetPackageMountPoint(manifest);
1294 
1295   if (!version_found_mounted) {
1296     auto mount_status = MountPackage(apex_file, mount_point, device_name);
1297     if (!mount_status.ok()) {
1298       return mount_status;
1299     }
1300   }
1301 
1302   // For packages providing shared libraries, avoid creating a bindmount since
1303   // there is no use for the /apex/<package_name> directory. However, mark the
1304   // highest version as latest so that the latest version of the package can be
1305   // properly reported to PackageManager.
1306   if (manifest.providesharedapexlibs()) {
1307     if (is_newest_version) {
1308       gMountedApexes.SetLatest(manifest.name(), apex_file.GetPath());
1309     }
1310   } else {
1311     bool mounted_latest = false;
1312     // Bind mount the latest version to /apex/<package_name>, unless the
1313     // package provides shared libraries to other APEXs.
1314     if (is_newest_version) {
1315       const Result<void>& update_st = apexd_private::BindMount(
1316           apexd_private::GetActiveMountPoint(manifest), mount_point);
1317       mounted_latest = update_st.has_value();
1318       if (!update_st.ok()) {
1319         return Error() << "Failed to update package " << manifest.name()
1320                        << " to version " << manifest.version() << " : "
1321                        << update_st.error();
1322       }
1323     }
1324     if (mounted_latest) {
1325       gMountedApexes.SetLatest(manifest.name(), apex_file.GetPath());
1326     }
1327   }
1328 
1329   if (manifest.providesharedapexlibs()) {
1330     const auto& handle_shared_libs_apex =
1331         ActivateSharedLibsPackage(mount_point);
1332     if (!handle_shared_libs_apex.ok()) {
1333       return handle_shared_libs_apex;
1334     }
1335   }
1336 
1337   LOG(DEBUG) << "Successfully activated " << apex_file.GetPath()
1338              << " package_name: " << manifest.name()
1339              << " version: " << manifest.version();
1340   return {};
1341 }
1342 
ActivatePackage(const std::string & full_path)1343 Result<void> ActivatePackage(const std::string& full_path) {
1344   LOG(INFO) << "Trying to activate " << full_path;
1345 
1346   Result<ApexFile> apex_file = ApexFile::Open(full_path);
1347   if (!apex_file.ok()) {
1348     return apex_file.error();
1349   }
1350   return ActivatePackageImpl(*apex_file,
1351                              GetPackageId(apex_file->GetManifest()));
1352 }
1353 
DeactivatePackage(const std::string & full_path)1354 Result<void> DeactivatePackage(const std::string& full_path) {
1355   LOG(INFO) << "Trying to deactivate " << full_path;
1356 
1357   Result<ApexFile> apex_file = ApexFile::Open(full_path);
1358   if (!apex_file.ok()) {
1359     return apex_file.error();
1360   }
1361 
1362   return UnmountPackage(*apex_file, /* allow_latest= */ true,
1363                         /* deferred= */ false);
1364 }
1365 
GetActivePackages()1366 std::vector<ApexFile> GetActivePackages() {
1367   std::vector<ApexFile> ret;
1368   gMountedApexes.ForallMountedApexes(
1369       [&](const std::string&, const MountedApexData& data, bool latest) {
1370         if (!latest) {
1371           return;
1372         }
1373 
1374         Result<ApexFile> apex_file = ApexFile::Open(data.full_path);
1375         if (!apex_file.ok()) {
1376           return;
1377         }
1378         ret.emplace_back(std::move(*apex_file));
1379       });
1380 
1381   return ret;
1382 }
1383 
CalculateInactivePackages(const std::vector<ApexFile> & active)1384 std::vector<ApexFile> CalculateInactivePackages(
1385     const std::vector<ApexFile>& active) {
1386   std::vector<ApexFile> inactive = GetFactoryPackages();
1387   auto new_end = std::remove_if(
1388       inactive.begin(), inactive.end(), [&active](const ApexFile& apex) {
1389         return std::any_of(active.begin(), active.end(),
1390                            [&apex](const ApexFile& active_apex) {
1391                              return apex.GetPath() == active_apex.GetPath();
1392                            });
1393       });
1394   inactive.erase(new_end, inactive.end());
1395   return std::move(inactive);
1396 }
1397 
EmitApexInfoList(bool is_bootstrap)1398 Result<void> EmitApexInfoList(bool is_bootstrap) {
1399   // on a non-updatable device, we don't have APEX database to emit
1400   if (!android::sysprop::ApexProperties::updatable().value_or(false)) {
1401     return {};
1402   }
1403 
1404   // Apexd runs both in "bootstrap" and "default" mount namespace.
1405   // To expose /apex/apex-info-list.xml separately in each mount namespaces,
1406   // we write /apex/.<namespace>-apex-info-list .xml file first and then
1407   // bind mount it to the canonical file (/apex/apex-info-list.xml).
1408   const std::string file_name =
1409       fmt::format("{}/.{}-{}", kApexRoot,
1410                   is_bootstrap ? "bootstrap" : "default", kApexInfoList);
1411 
1412   unique_fd fd(TEMP_FAILURE_RETRY(
1413       open(file_name.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0644)));
1414   if (fd.get() == -1) {
1415     return ErrnoErrorf("Can't open {}", file_name);
1416   }
1417 
1418   const std::vector<ApexFile> active(GetActivePackages());
1419 
1420   std::vector<ApexFile> inactive;
1421   // we skip for non-activated built-in apexes in bootstrap mode
1422   // in order to avoid boottime increase
1423   if (!is_bootstrap) {
1424     inactive = CalculateInactivePackages(active);
1425   }
1426 
1427   std::stringstream xml;
1428   CollectApexInfoList(xml, active, inactive);
1429 
1430   if (!android::base::WriteStringToFd(xml.str(), fd)) {
1431     return ErrnoErrorf("Can't write to {}", file_name);
1432   }
1433 
1434   fd.reset();
1435 
1436   const std::string mount_point =
1437       fmt::format("{}/{}", kApexRoot, kApexInfoList);
1438   if (access(mount_point.c_str(), F_OK) != 0) {
1439     close(open(mount_point.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC,
1440                0644));
1441   }
1442   if (mount(file_name.c_str(), mount_point.c_str(), nullptr, MS_BIND,
1443             nullptr) == -1) {
1444     return ErrnoErrorf("Can't bind mount {} to {}", file_name, mount_point);
1445   }
1446   return RestoreconPath(file_name);
1447 }
1448 
1449 namespace {
GetActivePackagesMap()1450 std::unordered_map<std::string, uint64_t> GetActivePackagesMap() {
1451   std::vector<ApexFile> active_packages = GetActivePackages();
1452   std::unordered_map<std::string, uint64_t> ret;
1453   for (const auto& package : active_packages) {
1454     const ApexManifest& manifest = package.GetManifest();
1455     ret.insert({manifest.name(), manifest.version()});
1456   }
1457   return ret;
1458 }
1459 
1460 }  // namespace
1461 
GetFactoryPackages()1462 std::vector<ApexFile> GetFactoryPackages() {
1463   std::vector<ApexFile> ret;
1464 
1465   // Decompressed APEX is considered factory package
1466   std::vector<std::string> decompressed_pkg_names;
1467   auto active_pkgs = GetActivePackages();
1468   for (ApexFile& apex : active_pkgs) {
1469     if (ApexFileRepository::GetInstance().IsDecompressedApex(apex)) {
1470       decompressed_pkg_names.push_back(apex.GetManifest().name());
1471       ret.emplace_back(std::move(apex));
1472     }
1473   }
1474 
1475   for (const auto& dir : gConfig->apex_built_in_dirs) {
1476     auto all_apex_files = FindFilesBySuffix(
1477         dir, {kApexPackageSuffix, kCompressedApexPackageSuffix});
1478     if (!all_apex_files.ok()) {
1479       LOG(ERROR) << all_apex_files.error();
1480       continue;
1481     }
1482 
1483     for (const std::string& path : *all_apex_files) {
1484       Result<ApexFile> apex_file = ApexFile::Open(path);
1485       if (!apex_file.ok()) {
1486         LOG(ERROR) << apex_file.error();
1487         continue;
1488       }
1489       // Ignore compressed APEX if it has been decompressed already
1490       if (apex_file->IsCompressed() &&
1491           std::find(decompressed_pkg_names.begin(),
1492                     decompressed_pkg_names.end(),
1493                     apex_file->GetManifest().name()) !=
1494               decompressed_pkg_names.end()) {
1495         continue;
1496       }
1497 
1498       ret.emplace_back(std::move(*apex_file));
1499     }
1500   }
1501   return ret;
1502 }
1503 
GetActivePackage(const std::string & packageName)1504 Result<ApexFile> GetActivePackage(const std::string& packageName) {
1505   std::vector<ApexFile> packages = GetActivePackages();
1506   for (ApexFile& apex : packages) {
1507     if (apex.GetManifest().name() == packageName) {
1508       return std::move(apex);
1509     }
1510   }
1511 
1512   return ErrnoError() << "Cannot find matching package for: " << packageName;
1513 }
1514 
1515 /**
1516  * Abort individual staged session.
1517  *
1518  * Returns without error only if session was successfully aborted.
1519  **/
AbortStagedSession(int session_id)1520 Result<void> AbortStagedSession(int session_id) {
1521   auto session = ApexSession::GetSession(session_id);
1522   if (!session.ok()) {
1523     return Error() << "No session found with id " << session_id;
1524   }
1525   switch (session->GetState()) {
1526     case SessionState::VERIFIED:
1527       [[clang::fallthrough]];
1528     case SessionState::STAGED:
1529       return session->DeleteSession();
1530     default:
1531       return Error() << "Session " << *session << " can't be aborted";
1532   }
1533 }
1534 
1535 namespace {
1536 
1537 // TODO(b/179497746): Avoid scanning apex directly here
1538 // Only used in OnBootstrap. Should we remove this function?
ScanApexFiles(const char * apex_package_dir,bool include_compressed=false)1539 Result<std::vector<ApexFile>> ScanApexFiles(const char* apex_package_dir,
1540                                             bool include_compressed = false) {
1541   LOG(INFO) << "Scanning " << apex_package_dir << " looking for APEX packages.";
1542   if (access(apex_package_dir, F_OK) != 0 && errno == ENOENT) {
1543     LOG(INFO) << "... does not exist. Skipping";
1544     return {};
1545   }
1546   std::vector<std::string> suffix_list = {kApexPackageSuffix};
1547   if (include_compressed) {
1548     suffix_list.push_back(kCompressedApexPackageSuffix);
1549   }
1550   Result<std::vector<std::string>> scan =
1551       FindFilesBySuffix(apex_package_dir, suffix_list);
1552   if (!scan.ok()) {
1553     return Error() << "Failed to scan " << apex_package_dir << " : "
1554                    << scan.error();
1555   }
1556   std::vector<ApexFile> ret;
1557   for (const auto& name : *scan) {
1558     Result<ApexFile> apex_file = ApexFile::Open(name);
1559     if (!apex_file.ok()) {
1560       LOG(ERROR) << "Failed to scan " << name << " : " << apex_file.error();
1561     } else {
1562       ret.emplace_back(std::move(*apex_file));
1563     }
1564   }
1565   return ret;
1566 }
1567 
ActivateApexWorker(bool is_ota_chroot,std::queue<const ApexFile * > & apex_queue,std::mutex & mutex)1568 std::vector<Result<void>> ActivateApexWorker(
1569     bool is_ota_chroot, std::queue<const ApexFile*>& apex_queue,
1570     std::mutex& mutex) {
1571   std::vector<Result<void>> ret;
1572 
1573   while (true) {
1574     const ApexFile* apex;
1575     {
1576       std::lock_guard lock(mutex);
1577       if (apex_queue.empty()) break;
1578       apex = apex_queue.front();
1579       apex_queue.pop();
1580     }
1581 
1582     std::string device_name = GetPackageId(apex->GetManifest());
1583     if (is_ota_chroot) {
1584       device_name += ".chroot";
1585     }
1586     if (auto res = ActivatePackageImpl(*apex, device_name); !res.ok()) {
1587       ret.push_back(Error() << "Failed to activate " << apex->GetPath() << " : "
1588                             << res.error());
1589     } else {
1590       ret.push_back({});
1591     }
1592   }
1593 
1594   return ret;
1595 }
1596 
ActivateApexPackages(const std::vector<ApexFileRef> & apexes,bool is_ota_chroot)1597 Result<void> ActivateApexPackages(const std::vector<ApexFileRef>& apexes,
1598                                   bool is_ota_chroot) {
1599   std::queue<const ApexFile*> apex_queue;
1600   std::mutex apex_queue_mutex;
1601 
1602   for (const ApexFile& apex : apexes) {
1603     apex_queue.emplace(&apex);
1604   }
1605 
1606   // Creates threads as many as half number of cores for the performance.
1607   size_t worker_num = std::max(get_nprocs_conf() >> 1, 1);
1608   worker_num = std::min(apex_queue.size(), worker_num);
1609 
1610   // On -eng builds there might be two different pre-installed art apexes.
1611   // Attempting to activate them in parallel will result in UB (e.g.
1612   // apexd-bootstrap might crash). In order to avoid this, for the time being on
1613   // -eng builds activate apexes sequentially.
1614   // TODO(b/176497601): remove this.
1615   if (GetProperty("ro.build.type", "") == "eng") {
1616     worker_num = 1;
1617   }
1618 
1619   std::vector<std::future<std::vector<Result<void>>>> futures;
1620   futures.reserve(worker_num);
1621   for (size_t i = 0; i < worker_num; i++) {
1622     futures.push_back(std::async(std::launch::async, ActivateApexWorker,
1623                                  std::ref(is_ota_chroot), std::ref(apex_queue),
1624                                  std::ref(apex_queue_mutex)));
1625   }
1626 
1627   size_t activated_cnt = 0;
1628   size_t failed_cnt = 0;
1629   std::string error_message;
1630   for (size_t i = 0; i < futures.size(); i++) {
1631     for (const auto& res : futures[i].get()) {
1632       if (res.ok()) {
1633         ++activated_cnt;
1634       } else {
1635         ++failed_cnt;
1636         LOG(ERROR) << res.error();
1637         if (failed_cnt == 1) {
1638           error_message = res.error().message();
1639         }
1640       }
1641     }
1642   }
1643 
1644   if (failed_cnt > 0) {
1645     return Error() << "Failed to activate " << failed_cnt
1646                    << " APEX packages. One of the errors: " << error_message;
1647   }
1648   LOG(INFO) << "Activated " << activated_cnt << " packages.";
1649   return {};
1650 }
1651 
1652 // A fallback function in case some of the apexes failed to activate. For all
1653 // such apexes that were coming from /data partition we will attempt to activate
1654 // their corresponding pre-installed copies.
ActivateMissingApexes(const std::vector<ApexFileRef> & apexes,bool is_ota_chroot)1655 Result<void> ActivateMissingApexes(const std::vector<ApexFileRef>& apexes,
1656                                    bool is_ota_chroot) {
1657   LOG(INFO) << "Trying to activate pre-installed versions of missing apexes";
1658   const auto& file_repository = ApexFileRepository::GetInstance();
1659   const auto& activated_apexes = GetActivePackagesMap();
1660   std::vector<ApexFileRef> fallback_apexes;
1661   for (const auto& apex_ref : apexes) {
1662     const auto& apex = apex_ref.get();
1663     if (apex.GetManifest().providesharedapexlibs()) {
1664       // We must mount both versions of sharedlibs apex anyway. Not much we can
1665       // do here.
1666       continue;
1667     }
1668     if (file_repository.IsPreInstalledApex(apex)) {
1669       // We tried to activate pre-installed apex in the first place. No need to
1670       // try again.
1671       continue;
1672     }
1673     const std::string& name = apex.GetManifest().name();
1674     if (activated_apexes.find(name) == activated_apexes.end()) {
1675       fallback_apexes.push_back(file_repository.GetPreInstalledApex(name));
1676     }
1677   }
1678 
1679   // Process compressed APEX, if any
1680   std::vector<ApexFileRef> compressed_apex;
1681   for (auto it = fallback_apexes.begin(); it != fallback_apexes.end();) {
1682     if (it->get().IsCompressed()) {
1683       compressed_apex.emplace_back(*it);
1684       it = fallback_apexes.erase(it);
1685     } else {
1686       it++;
1687     }
1688   }
1689   std::vector<ApexFile> decompressed_apex;
1690   if (!compressed_apex.empty()) {
1691     decompressed_apex =
1692         ProcessCompressedApex(compressed_apex, /* is_ota_chroot= */ false);
1693     for (const ApexFile& apex_file : decompressed_apex) {
1694       fallback_apexes.emplace_back(std::cref(apex_file));
1695     }
1696   }
1697   return ActivateApexPackages(fallback_apexes, is_ota_chroot);
1698 }
1699 
1700 }  // namespace
1701 
1702 /**
1703  * Snapshots data from base_dir/apexdata/<apex name> to
1704  * base_dir/apexrollback/<rollback id>/<apex name>.
1705  */
SnapshotDataDirectory(const std::string & base_dir,const int rollback_id,const std::string & apex_name,bool pre_restore=false)1706 Result<void> SnapshotDataDirectory(const std::string& base_dir,
1707                                    const int rollback_id,
1708                                    const std::string& apex_name,
1709                                    bool pre_restore = false) {
1710   auto rollback_path =
1711       StringPrintf("%s/%s/%d%s", base_dir.c_str(), kApexSnapshotSubDir,
1712                    rollback_id, pre_restore ? kPreRestoreSuffix : "");
1713   const Result<void> result = CreateDirIfNeeded(rollback_path, 0700);
1714   if (!result.ok()) {
1715     return Error() << "Failed to create snapshot directory for rollback "
1716                    << rollback_id << " : " << result.error();
1717   }
1718   auto from_path = StringPrintf("%s/%s/%s", base_dir.c_str(), kApexDataSubDir,
1719                                 apex_name.c_str());
1720   auto to_path =
1721       StringPrintf("%s/%s", rollback_path.c_str(), apex_name.c_str());
1722 
1723   return ReplaceFiles(from_path, to_path);
1724 }
1725 
1726 /**
1727  * Restores snapshot from base_dir/apexrollback/<rollback id>/<apex name>
1728  * to base_dir/apexdata/<apex name>.
1729  * Note the snapshot will be deleted after restoration succeeded.
1730  */
RestoreDataDirectory(const std::string & base_dir,const int rollback_id,const std::string & apex_name,bool pre_restore=false)1731 Result<void> RestoreDataDirectory(const std::string& base_dir,
1732                                   const int rollback_id,
1733                                   const std::string& apex_name,
1734                                   bool pre_restore = false) {
1735   auto from_path = StringPrintf(
1736       "%s/%s/%d%s/%s", base_dir.c_str(), kApexSnapshotSubDir, rollback_id,
1737       pre_restore ? kPreRestoreSuffix : "", apex_name.c_str());
1738   auto to_path = StringPrintf("%s/%s/%s", base_dir.c_str(), kApexDataSubDir,
1739                               apex_name.c_str());
1740   Result<void> result = ReplaceFiles(from_path, to_path);
1741   if (!result.ok()) {
1742     return result;
1743   }
1744   result = RestoreconPath(to_path);
1745   if (!result.ok()) {
1746     return result;
1747   }
1748   result = DeleteDir(from_path);
1749   if (!result.ok()) {
1750     LOG(ERROR) << "Failed to delete the snapshot: " << result.error();
1751   }
1752   return {};
1753 }
1754 
SnapshotOrRestoreDeIfNeeded(const std::string & base_dir,const ApexSession & session)1755 void SnapshotOrRestoreDeIfNeeded(const std::string& base_dir,
1756                                  const ApexSession& session) {
1757   if (session.HasRollbackEnabled()) {
1758     for (const auto& apex_name : session.GetApexNames()) {
1759       Result<void> result =
1760           SnapshotDataDirectory(base_dir, session.GetRollbackId(), apex_name);
1761       if (!result.ok()) {
1762         LOG(ERROR) << "Snapshot failed for " << apex_name << ": "
1763                    << result.error();
1764       }
1765     }
1766   } else if (session.IsRollback()) {
1767     for (const auto& apex_name : session.GetApexNames()) {
1768       if (!gSupportsFsCheckpoints) {
1769         // Snapshot before restore so this rollback can be reverted.
1770         SnapshotDataDirectory(base_dir, session.GetRollbackId(), apex_name,
1771                               true /* pre_restore */);
1772       }
1773       Result<void> result =
1774           RestoreDataDirectory(base_dir, session.GetRollbackId(), apex_name);
1775       if (!result.ok()) {
1776         LOG(ERROR) << "Restore of data failed for " << apex_name << ": "
1777                    << result.error();
1778       }
1779     }
1780   }
1781 }
1782 
SnapshotOrRestoreDeSysData()1783 void SnapshotOrRestoreDeSysData() {
1784   auto sessions = ApexSession::GetSessionsInState(SessionState::ACTIVATED);
1785 
1786   for (const ApexSession& session : sessions) {
1787     SnapshotOrRestoreDeIfNeeded(kDeSysDataDir, session);
1788   }
1789 }
1790 
SnapshotOrRestoreDeUserData()1791 int SnapshotOrRestoreDeUserData() {
1792   auto user_dirs = GetDeUserDirs();
1793 
1794   if (!user_dirs.ok()) {
1795     LOG(ERROR) << "Error reading dirs " << user_dirs.error();
1796     return 1;
1797   }
1798 
1799   auto sessions = ApexSession::GetSessionsInState(SessionState::ACTIVATED);
1800 
1801   for (const ApexSession& session : sessions) {
1802     for (const auto& user_dir : *user_dirs) {
1803       SnapshotOrRestoreDeIfNeeded(user_dir, session);
1804     }
1805   }
1806 
1807   return 0;
1808 }
1809 
SnapshotCeData(const int user_id,const int rollback_id,const std::string & apex_name)1810 Result<void> SnapshotCeData(const int user_id, const int rollback_id,
1811                             const std::string& apex_name) {
1812   auto base_dir = StringPrintf("%s/%d", kCeDataDir, user_id);
1813   return SnapshotDataDirectory(base_dir, rollback_id, apex_name);
1814 }
1815 
RestoreCeData(const int user_id,const int rollback_id,const std::string & apex_name)1816 Result<void> RestoreCeData(const int user_id, const int rollback_id,
1817                            const std::string& apex_name) {
1818   auto base_dir = StringPrintf("%s/%d", kCeDataDir, user_id);
1819   return RestoreDataDirectory(base_dir, rollback_id, apex_name);
1820 }
1821 
1822 //  Migrates sessions directory from /data/apex/sessions to
1823 //  /metadata/apex/sessions, if necessary.
MigrateSessionsDirIfNeeded()1824 Result<void> MigrateSessionsDirIfNeeded() {
1825   return ApexSession::MigrateToMetadataSessionsDir();
1826 }
1827 
DestroySnapshots(const std::string & base_dir,const int rollback_id)1828 Result<void> DestroySnapshots(const std::string& base_dir,
1829                               const int rollback_id) {
1830   auto path = StringPrintf("%s/%s/%d", base_dir.c_str(), kApexSnapshotSubDir,
1831                            rollback_id);
1832   return DeleteDir(path);
1833 }
1834 
DestroyDeSnapshots(const int rollback_id)1835 Result<void> DestroyDeSnapshots(const int rollback_id) {
1836   DestroySnapshots(kDeSysDataDir, rollback_id);
1837 
1838   auto user_dirs = GetDeUserDirs();
1839   if (!user_dirs.ok()) {
1840     return Error() << "Error reading user dirs " << user_dirs.error();
1841   }
1842 
1843   for (const auto& user_dir : *user_dirs) {
1844     DestroySnapshots(user_dir, rollback_id);
1845   }
1846 
1847   return {};
1848 }
1849 
DestroyCeSnapshots(const int user_id,const int rollback_id)1850 Result<void> DestroyCeSnapshots(const int user_id, const int rollback_id) {
1851   auto path = StringPrintf("%s/%d/%s/%d", kCeDataDir, user_id,
1852                            kApexSnapshotSubDir, rollback_id);
1853   return DeleteDir(path);
1854 }
1855 
1856 /**
1857  * Deletes all credential-encrypted snapshots for the given user, except for
1858  * those listed in retain_rollback_ids.
1859  */
DestroyCeSnapshotsNotSpecified(int user_id,const std::vector<int> & retain_rollback_ids)1860 Result<void> DestroyCeSnapshotsNotSpecified(
1861     int user_id, const std::vector<int>& retain_rollback_ids) {
1862   auto snapshot_root =
1863       StringPrintf("%s/%d/%s", kCeDataDir, user_id, kApexSnapshotSubDir);
1864   auto snapshot_dirs = GetSubdirs(snapshot_root);
1865   if (!snapshot_dirs.ok()) {
1866     return Error() << "Error reading snapshot dirs " << snapshot_dirs.error();
1867   }
1868 
1869   for (const auto& snapshot_dir : *snapshot_dirs) {
1870     uint snapshot_id;
1871     bool parse_ok = ParseUint(
1872         std::filesystem::path(snapshot_dir).filename().c_str(), &snapshot_id);
1873     if (parse_ok &&
1874         std::find(retain_rollback_ids.begin(), retain_rollback_ids.end(),
1875                   snapshot_id) == retain_rollback_ids.end()) {
1876       Result<void> result = DeleteDir(snapshot_dir);
1877       if (!result.ok()) {
1878         return Error() << "Destroy CE snapshot failed for " << snapshot_dir
1879                        << " : " << result.error();
1880       }
1881     }
1882   }
1883   return {};
1884 }
1885 
RestorePreRestoreSnapshotsIfPresent(const std::string & base_dir,const ApexSession & session)1886 void RestorePreRestoreSnapshotsIfPresent(const std::string& base_dir,
1887                                          const ApexSession& session) {
1888   auto pre_restore_snapshot_path =
1889       StringPrintf("%s/%s/%d%s", base_dir.c_str(), kApexSnapshotSubDir,
1890                    session.GetRollbackId(), kPreRestoreSuffix);
1891   if (PathExists(pre_restore_snapshot_path).ok()) {
1892     for (const auto& apex_name : session.GetApexNames()) {
1893       Result<void> result = RestoreDataDirectory(
1894           base_dir, session.GetRollbackId(), apex_name, true /* pre_restore */);
1895       if (!result.ok()) {
1896         LOG(ERROR) << "Restore of pre-restore snapshot failed for " << apex_name
1897                    << ": " << result.error();
1898       }
1899     }
1900   }
1901 }
1902 
RestoreDePreRestoreSnapshotsIfPresent(const ApexSession & session)1903 void RestoreDePreRestoreSnapshotsIfPresent(const ApexSession& session) {
1904   RestorePreRestoreSnapshotsIfPresent(kDeSysDataDir, session);
1905 
1906   auto user_dirs = GetDeUserDirs();
1907   if (!user_dirs.ok()) {
1908     LOG(ERROR) << "Error reading user dirs to restore pre-restore snapshots"
1909                << user_dirs.error();
1910   }
1911 
1912   for (const auto& user_dir : *user_dirs) {
1913     RestorePreRestoreSnapshotsIfPresent(user_dir, session);
1914   }
1915 }
1916 
DeleteDePreRestoreSnapshots(const std::string & base_dir,const ApexSession & session)1917 void DeleteDePreRestoreSnapshots(const std::string& base_dir,
1918                                  const ApexSession& session) {
1919   auto pre_restore_snapshot_path =
1920       StringPrintf("%s/%s/%d%s", base_dir.c_str(), kApexSnapshotSubDir,
1921                    session.GetRollbackId(), kPreRestoreSuffix);
1922   Result<void> result = DeleteDir(pre_restore_snapshot_path);
1923   if (!result.ok()) {
1924     LOG(ERROR) << "Deletion of pre-restore snapshot failed: " << result.error();
1925   }
1926 }
1927 
DeleteDePreRestoreSnapshots(const ApexSession & session)1928 void DeleteDePreRestoreSnapshots(const ApexSession& session) {
1929   DeleteDePreRestoreSnapshots(kDeSysDataDir, session);
1930 
1931   auto user_dirs = GetDeUserDirs();
1932   if (!user_dirs.ok()) {
1933     LOG(ERROR) << "Error reading user dirs to delete pre-restore snapshots"
1934                << user_dirs.error();
1935   }
1936 
1937   for (const auto& user_dir : *user_dirs) {
1938     DeleteDePreRestoreSnapshots(user_dir, session);
1939   }
1940 }
1941 
OnBootCompleted()1942 void OnBootCompleted() {
1943   ApexdLifecycle::GetInstance().MarkBootCompleted();
1944   BootCompletedCleanup();
1945 }
1946 
1947 // Returns true if any session gets staged
ScanStagedSessionsDirAndStage()1948 void ScanStagedSessionsDirAndStage() {
1949   LOG(INFO) << "Scanning " << ApexSession::GetSessionsDir()
1950             << " looking for sessions to be activated.";
1951 
1952   auto sessions_to_activate =
1953       ApexSession::GetSessionsInState(SessionState::STAGED);
1954   if (gSupportsFsCheckpoints) {
1955     // A session that is in the ACTIVATED state should still be re-activated if
1956     // fs checkpointing is supported. In this case, a session may be in the
1957     // ACTIVATED state yet the data/apex/active directory may have been
1958     // reverted. The session should be reverted in this scenario.
1959     auto activated_sessions =
1960         ApexSession::GetSessionsInState(SessionState::ACTIVATED);
1961     sessions_to_activate.insert(sessions_to_activate.end(),
1962                                 activated_sessions.begin(),
1963                                 activated_sessions.end());
1964   }
1965 
1966   for (auto& session : sessions_to_activate) {
1967     auto session_id = session.GetId();
1968 
1969     auto session_failed_fn = [&]() {
1970       LOG(WARNING) << "Marking session " << session_id << " as failed.";
1971       auto st = session.UpdateStateAndCommit(SessionState::ACTIVATION_FAILED);
1972       if (!st.ok()) {
1973         LOG(WARNING) << "Failed to mark session " << session_id
1974                      << " as failed : " << st.error();
1975       }
1976     };
1977     auto scope_guard = android::base::make_scope_guard(session_failed_fn);
1978 
1979     std::string build_fingerprint = GetProperty(kBuildFingerprintSysprop, "");
1980     if (session.GetBuildFingerprint().compare(build_fingerprint) != 0) {
1981       auto error_message = "APEX build fingerprint has changed";
1982       LOG(ERROR) << error_message;
1983       session.SetErrorMessage(error_message);
1984       continue;
1985     }
1986 
1987     // If device supports fs-checkpoint, then apex session should only be
1988     // installed when in checkpoint-mode. Otherwise, we will not be able to
1989     // revert /data on error.
1990     if (gSupportsFsCheckpoints && !gInFsCheckpointMode) {
1991       auto error_message =
1992           "Cannot install apex session if not in fs-checkpoint mode";
1993       LOG(ERROR) << error_message;
1994       session.SetErrorMessage(error_message);
1995       continue;
1996     }
1997 
1998     std::vector<std::string> dirs_to_scan;
1999     if (session.GetChildSessionIds().empty()) {
2000       dirs_to_scan.push_back(std::string(gConfig->staged_session_dir) +
2001                              "/session_" + std::to_string(session_id));
2002     } else {
2003       for (auto child_session_id : session.GetChildSessionIds()) {
2004         dirs_to_scan.push_back(std::string(gConfig->staged_session_dir) +
2005                                "/session_" + std::to_string(child_session_id));
2006       }
2007     }
2008 
2009     std::vector<std::string> apexes;
2010     bool scan_successful = true;
2011     for (const auto& dir_to_scan : dirs_to_scan) {
2012       Result<std::vector<std::string>> scan =
2013           FindFilesBySuffix(dir_to_scan, {kApexPackageSuffix});
2014       if (!scan.ok()) {
2015         LOG(WARNING) << scan.error();
2016         session.SetErrorMessage(scan.error().message());
2017         scan_successful = false;
2018         break;
2019       }
2020 
2021       if (scan->size() > 1) {
2022         std::string error_message = StringPrintf(
2023             "More than one APEX package found in the same session directory %s "
2024             ", skipping activation",
2025             dir_to_scan.c_str());
2026         LOG(WARNING) << error_message;
2027         session.SetErrorMessage(error_message);
2028         scan_successful = false;
2029         break;
2030       }
2031 
2032       if (scan->empty()) {
2033         std::string error_message = StringPrintf(
2034             "No APEX packages found while scanning %s session id: %d.",
2035             dir_to_scan.c_str(), session_id);
2036         LOG(WARNING) << error_message;
2037         session.SetErrorMessage(error_message);
2038         scan_successful = false;
2039         break;
2040       }
2041       apexes.push_back(std::move((*scan)[0]));
2042     }
2043 
2044     if (!scan_successful) {
2045       continue;
2046     }
2047 
2048     // Run postinstall, if necessary.
2049     Result<void> postinstall_status = PostinstallPackages(apexes);
2050     if (!postinstall_status.ok()) {
2051       std::string error_message =
2052           StringPrintf("Postinstall failed for session %d %s", session_id,
2053                        postinstall_status.error().message().c_str());
2054       LOG(ERROR) << error_message;
2055       session.SetErrorMessage(error_message);
2056       continue;
2057     }
2058 
2059     for (const auto& apex : apexes) {
2060       // TODO(b/158470836): Avoid opening ApexFile repeatedly.
2061       Result<ApexFile> apex_file = ApexFile::Open(apex);
2062       if (!apex_file.ok()) {
2063         LOG(ERROR) << "Cannot open apex file during staging: " << apex;
2064         continue;
2065       }
2066       session.AddApexName(apex_file->GetManifest().name());
2067     }
2068 
2069     const Result<void> result = StagePackages(apexes);
2070     if (!result.ok()) {
2071       std::string error_message = StringPrintf(
2072           "Activation failed for packages %s : %s", Join(apexes, ',').c_str(),
2073           result.error().message().c_str());
2074       LOG(ERROR) << error_message;
2075       session.SetErrorMessage(error_message);
2076       continue;
2077     }
2078 
2079     // Session was OK, release scopeguard.
2080     scope_guard.Disable();
2081 
2082     auto st = session.UpdateStateAndCommit(SessionState::ACTIVATED);
2083     if (!st.ok()) {
2084       LOG(ERROR) << "Failed to mark " << session
2085                  << " as activated : " << st.error();
2086     }
2087   }
2088 }
2089 
PreinstallPackages(const std::vector<std::string> & paths)2090 Result<void> PreinstallPackages(const std::vector<std::string>& paths) {
2091   Result<std::vector<ApexFile>> apex_files = OpenApexFiles(paths);
2092   if (!apex_files.ok()) {
2093     return apex_files.error();
2094   }
2095   LOG(DEBUG) << "PreinstallPackages() for " << Join(paths, ',');
2096   return PreinstallPackages(*apex_files);
2097 }
2098 
PostinstallPackages(const std::vector<std::string> & paths)2099 Result<void> PostinstallPackages(const std::vector<std::string>& paths) {
2100   Result<std::vector<ApexFile>> apex_files = OpenApexFiles(paths);
2101   if (!apex_files.ok()) {
2102     return apex_files.error();
2103   }
2104   LOG(DEBUG) << "PostinstallPackages() for " << Join(paths, ',');
2105   return PostinstallPackages(*apex_files);
2106 }
2107 
2108 namespace {
StageDestPath(const ApexFile & apex_file)2109 std::string StageDestPath(const ApexFile& apex_file) {
2110   return StringPrintf("%s/%s%s", gConfig->active_apex_data_dir,
2111                       GetPackageId(apex_file.GetManifest()).c_str(),
2112                       kApexPackageSuffix);
2113 }
2114 
2115 }  // namespace
2116 
StagePackages(const std::vector<std::string> & tmp_paths)2117 Result<void> StagePackages(const std::vector<std::string>& tmp_paths) {
2118   if (tmp_paths.empty()) {
2119     return Errorf("Empty set of inputs");
2120   }
2121   LOG(DEBUG) << "StagePackages() for " << Join(tmp_paths, ',');
2122 
2123   // Note: this function is temporary. As such the code is not optimized, e.g.,
2124   //       it will open ApexFiles multiple times.
2125 
2126   // 1) Verify all packages.
2127   Result<std::vector<ApexFile>> apex_files = OpenApexFiles(tmp_paths);
2128   if (!apex_files.ok()) {
2129     return apex_files.error();
2130   }
2131   for (const ApexFile& apex_file : *apex_files) {
2132     if (shim::IsShimApex(apex_file)) {
2133       // Shim apex will be validated on every boot. No need to do it here.
2134       continue;
2135     }
2136     Result<void> result = VerifyPackageBoot(apex_file);
2137     if (!result.ok()) {
2138       return result.error();
2139     }
2140   }
2141 
2142   // Make sure that kActiveApexPackagesDataDir exists.
2143   auto create_dir_status =
2144       CreateDirIfNeeded(std::string(gConfig->active_apex_data_dir), 0755);
2145   if (!create_dir_status.ok()) {
2146     return create_dir_status.error();
2147   }
2148 
2149   // 2) Now stage all of them.
2150 
2151   // Ensure the APEX gets removed on failure.
2152   std::unordered_set<std::string> staged_files;
2153   std::vector<std::string> changed_hashtree_files;
2154   auto deleter = [&staged_files, &changed_hashtree_files]() {
2155     for (const std::string& staged_path : staged_files) {
2156       if (TEMP_FAILURE_RETRY(unlink(staged_path.c_str())) != 0) {
2157         PLOG(ERROR) << "Unable to unlink " << staged_path;
2158       }
2159     }
2160     for (const std::string& hashtree_file : changed_hashtree_files) {
2161       if (TEMP_FAILURE_RETRY(unlink(hashtree_file.c_str())) != 0) {
2162         PLOG(ERROR) << "Unable to unlink " << hashtree_file;
2163       }
2164     }
2165   };
2166   auto scope_guard = android::base::make_scope_guard(deleter);
2167 
2168   std::unordered_set<std::string> staged_packages;
2169   for (const ApexFile& apex_file : *apex_files) {
2170     // First promote new hashtree file to the one that will be used when
2171     // mounting apex.
2172     std::string new_hashtree_file = GetHashTreeFileName(apex_file,
2173                                                         /* is_new = */ true);
2174     std::string old_hashtree_file = GetHashTreeFileName(apex_file,
2175                                                         /* is_new = */ false);
2176     if (access(new_hashtree_file.c_str(), F_OK) == 0) {
2177       if (TEMP_FAILURE_RETRY(rename(new_hashtree_file.c_str(),
2178                                     old_hashtree_file.c_str())) != 0) {
2179         return ErrnoError() << "Failed to move " << new_hashtree_file << " to "
2180                             << old_hashtree_file;
2181       }
2182       changed_hashtree_files.emplace_back(std::move(old_hashtree_file));
2183     }
2184     // And only then move apex to /data/apex/active.
2185     std::string dest_path = StageDestPath(apex_file);
2186     if (access(dest_path.c_str(), F_OK) == 0) {
2187       LOG(DEBUG) << dest_path << " already exists. Deleting";
2188       if (TEMP_FAILURE_RETRY(unlink(dest_path.c_str())) != 0) {
2189         return ErrnoError() << "Failed to unlink " << dest_path;
2190       }
2191     }
2192 
2193     if (link(apex_file.GetPath().c_str(), dest_path.c_str()) != 0) {
2194       return ErrnoError() << "Unable to link " << apex_file.GetPath() << " to "
2195                           << dest_path;
2196     }
2197     staged_files.insert(dest_path);
2198     staged_packages.insert(apex_file.GetManifest().name());
2199 
2200     LOG(DEBUG) << "Success linking " << apex_file.GetPath() << " to "
2201                << dest_path;
2202   }
2203 
2204   scope_guard.Disable();  // Accept the state.
2205 
2206   return RemovePreviouslyActiveApexFiles(staged_packages, staged_files);
2207 }
2208 
UnstagePackages(const std::vector<std::string> & paths)2209 Result<void> UnstagePackages(const std::vector<std::string>& paths) {
2210   if (paths.empty()) {
2211     return Errorf("Empty set of inputs");
2212   }
2213   LOG(DEBUG) << "UnstagePackages() for " << Join(paths, ',');
2214 
2215   for (const std::string& path : paths) {
2216     auto apex = ApexFile::Open(path);
2217     if (!apex.ok()) {
2218       return apex.error();
2219     }
2220     if (ApexFileRepository::GetInstance().IsPreInstalledApex(*apex)) {
2221       return Error() << "Can't uninstall pre-installed apex " << path;
2222     }
2223   }
2224 
2225   for (const std::string& path : paths) {
2226     if (unlink(path.c_str()) != 0) {
2227       return ErrnoError() << "Can't unlink " << path;
2228     }
2229   }
2230 
2231   return {};
2232 }
2233 
2234 /**
2235  * During apex installation, staged sessions located in /data/apex/sessions
2236  * mutate the active sessions in /data/apex/active. If some error occurs during
2237  * installation of apex, we need to revert /data/apex/active to its original
2238  * state and reboot.
2239  *
2240  * Also, we need to put staged sessions in /data/apex/sessions in REVERTED state
2241  * so that they do not get activated on next reboot.
2242  */
RevertActiveSessions(const std::string & crashing_native_process,const std::string & error_message)2243 Result<void> RevertActiveSessions(const std::string& crashing_native_process,
2244                                   const std::string& error_message) {
2245   // First check whenever there is anything to revert. If there is none, then
2246   // fail. This prevents apexd from boot looping a device in case a native
2247   // process is crashing and there are no apex updates.
2248   auto active_sessions = ApexSession::GetActiveSessions();
2249   if (active_sessions.empty()) {
2250     return Error() << "Revert requested, when there are no active sessions.";
2251   }
2252 
2253   for (auto& session : active_sessions) {
2254     if (!crashing_native_process.empty()) {
2255       session.SetCrashingNativeProcess(crashing_native_process);
2256     }
2257     if (!error_message.empty()) {
2258       session.SetErrorMessage(error_message);
2259     }
2260     auto status =
2261         session.UpdateStateAndCommit(SessionState::REVERT_IN_PROGRESS);
2262     if (!status.ok()) {
2263       return Error() << "Revert of session " << session
2264                      << " failed : " << status.error();
2265     }
2266   }
2267 
2268   if (!gSupportsFsCheckpoints) {
2269     auto restore_status = RestoreActivePackages();
2270     if (!restore_status.ok()) {
2271       for (auto& session : active_sessions) {
2272         auto st = session.UpdateStateAndCommit(SessionState::REVERT_FAILED);
2273         LOG(DEBUG) << "Marking " << session << " as failed to revert";
2274         if (!st.ok()) {
2275           LOG(WARNING) << "Failed to mark session " << session
2276                        << " as failed to revert : " << st.error();
2277         }
2278       }
2279       return restore_status;
2280     }
2281   } else {
2282     LOG(INFO) << "Not restoring active packages in checkpoint mode.";
2283   }
2284 
2285   for (auto& session : active_sessions) {
2286     if (!gSupportsFsCheckpoints && session.IsRollback()) {
2287       // If snapshots have already been restored, undo that by restoring the
2288       // pre-restore snapshot.
2289       RestoreDePreRestoreSnapshotsIfPresent(session);
2290     }
2291 
2292     auto status = session.UpdateStateAndCommit(SessionState::REVERTED);
2293     if (!status.ok()) {
2294       LOG(WARNING) << "Failed to mark session " << session
2295                    << " as reverted : " << status.error();
2296     }
2297   }
2298 
2299   return {};
2300 }
2301 
RevertActiveSessionsAndReboot(const std::string & crashing_native_process,const std::string & error_message)2302 Result<void> RevertActiveSessionsAndReboot(
2303     const std::string& crashing_native_process,
2304     const std::string& error_message) {
2305   auto status = RevertActiveSessions(crashing_native_process, error_message);
2306   if (!status.ok()) {
2307     return status;
2308   }
2309   LOG(ERROR) << "Successfully reverted. Time to reboot device.";
2310   if (gInFsCheckpointMode) {
2311     Result<void> res = gVoldService->AbortChanges(
2312         "apexd_initiated" /* message */, false /* retry */);
2313     if (!res.ok()) {
2314       LOG(ERROR) << res.error();
2315     }
2316   }
2317   Reboot();
2318   return {};
2319 }
2320 
CreateSharedLibsApexDir()2321 Result<void> CreateSharedLibsApexDir() {
2322   // Creates /apex/sharedlibs/lib{,64} for SharedLibs APEXes.
2323   std::string shared_libs_sub_dir =
2324       StringPrintf("%s/%s", kApexRoot, kApexSharedLibsSubDir);
2325   auto dir_exists = PathExists(shared_libs_sub_dir);
2326   if (!dir_exists.ok() || !*dir_exists) {
2327     std::error_code error_code;
2328     std::filesystem::create_directory(shared_libs_sub_dir, error_code);
2329     if (error_code) {
2330       return Error() << "Failed to create directory " << shared_libs_sub_dir
2331                      << ": " << error_code.message();
2332     }
2333   }
2334   for (const auto& lib_path : {"lib", "lib64"}) {
2335     std::string apex_lib_path =
2336         StringPrintf("%s/%s", shared_libs_sub_dir.c_str(), lib_path);
2337     auto lib_dir_exists = PathExists(apex_lib_path);
2338     if (!lib_dir_exists.ok() || !*lib_dir_exists) {
2339       std::error_code error_code;
2340       std::filesystem::create_directory(apex_lib_path, error_code);
2341       if (error_code) {
2342         return Error() << "Failed to create directory " << apex_lib_path << ": "
2343                        << error_code.message();
2344       }
2345     }
2346   }
2347 
2348   return {};
2349 }
2350 
OnBootstrap()2351 int OnBootstrap() {
2352   auto time_started = boot_clock::now();
2353   Result<void> pre_allocate = PreAllocateLoopDevices();
2354   if (!pre_allocate.ok()) {
2355     LOG(ERROR) << "Failed to pre-allocate loop devices : "
2356                << pre_allocate.error();
2357   }
2358 
2359   ApexFileRepository& instance = ApexFileRepository::GetInstance();
2360   static const std::vector<std::string> kBootstrapApexDirs{
2361       kApexPackageSystemDir, kApexPackageSystemExtDir, kApexPackageVendorDir};
2362   Result<void> status = instance.AddPreInstalledApex(kBootstrapApexDirs);
2363   if (!status.ok()) {
2364     LOG(ERROR) << "Failed to collect APEX keys : " << status.error();
2365     return 1;
2366   }
2367 
2368   // Create directories for APEX shared libraries.
2369   auto sharedlibs_apex_dir = CreateSharedLibsApexDir();
2370   if (!sharedlibs_apex_dir.ok()) {
2371     LOG(ERROR) << sharedlibs_apex_dir.error();
2372     return 1;
2373   }
2374 
2375   // Find all bootstrap apexes
2376   std::vector<ApexFile> bootstrap_apexes;
2377   for (const auto& dir : kBootstrapApexDirs) {
2378     auto scan = ScanApexFiles(dir.c_str());
2379     if (!scan.ok()) {
2380       LOG(ERROR) << "Failed to scan APEX files in " << dir << " : "
2381                  << scan.error();
2382       return 1;
2383     }
2384     std::copy_if(std::make_move_iterator(scan->begin()),
2385                  std::make_move_iterator(scan->end()),
2386                  std::back_inserter(bootstrap_apexes), IsBootstrapApex);
2387   }
2388 
2389   // Now activate bootstrap apexes.
2390   std::vector<ApexFileRef> bootstrap_apexes_ref;
2391   std::transform(bootstrap_apexes.begin(), bootstrap_apexes.end(),
2392                  std::back_inserter(bootstrap_apexes_ref),
2393                  [](const auto& x) { return std::cref(x); });
2394   auto ret = ActivateApexPackages(bootstrap_apexes_ref,
2395                                   /* is_ota_chroot= */ false);
2396   if (!ret.ok()) {
2397     LOG(ERROR) << "Failed to activate bootstrap apex files : " << ret.error();
2398     return 1;
2399   }
2400 
2401   OnAllPackagesActivated(/*is_bootstrap=*/true);
2402   auto time_elapsed = std::chrono::duration_cast<std::chrono::milliseconds>(
2403     boot_clock::now() - time_started).count();
2404   LOG(INFO) << "OnBootstrap done, duration=" << time_elapsed;
2405   return 0;
2406 }
2407 
RemountApexFile(const std::string & path)2408 Result<void> RemountApexFile(const std::string& path) {
2409   if (auto ret = DeactivatePackage(path); !ret.ok()) {
2410     return ret;
2411   }
2412   return ActivatePackage(path);
2413 }
2414 
InitializeVold(CheckpointInterface * checkpoint_service)2415 void InitializeVold(CheckpointInterface* checkpoint_service) {
2416   if (checkpoint_service != nullptr) {
2417     gVoldService = checkpoint_service;
2418     Result<bool> supports_fs_checkpoints =
2419         gVoldService->SupportsFsCheckpoints();
2420     if (supports_fs_checkpoints.ok()) {
2421       gSupportsFsCheckpoints = *supports_fs_checkpoints;
2422     } else {
2423       LOG(ERROR) << "Failed to check if filesystem checkpoints are supported: "
2424                  << supports_fs_checkpoints.error();
2425     }
2426     if (gSupportsFsCheckpoints) {
2427       Result<bool> needs_checkpoint = gVoldService->NeedsCheckpoint();
2428       if (needs_checkpoint.ok()) {
2429         gInFsCheckpointMode = *needs_checkpoint;
2430       } else {
2431         LOG(ERROR) << "Failed to check if we're in filesystem checkpoint mode: "
2432                    << needs_checkpoint.error();
2433       }
2434     }
2435   }
2436 }
2437 
Initialize(CheckpointInterface * checkpoint_service)2438 void Initialize(CheckpointInterface* checkpoint_service) {
2439   InitializeVold(checkpoint_service);
2440   ApexFileRepository& instance = ApexFileRepository::GetInstance();
2441   Result<void> status = instance.AddPreInstalledApex(kApexPackageBuiltinDirs);
2442   if (!status.ok()) {
2443     LOG(ERROR) << "Failed to collect pre-installed APEX files : "
2444                << status.error();
2445     return;
2446   }
2447   gMountedApexes.PopulateFromMounts(gConfig->active_apex_data_dir,
2448                                     gConfig->decompression_dir,
2449                                     gConfig->apex_hash_tree_dir);
2450 }
2451 
2452 // Note: Pre-installed apex are initialized in Initialize(CheckpointInterface*)
2453 // TODO(b/172911822): Consolidate this with Initialize() when
2454 //  ApexFileRepository can act as cache and re-scanning is not expensive
InitializeDataApex()2455 void InitializeDataApex() {
2456   ApexFileRepository& instance = ApexFileRepository::GetInstance();
2457   Result<void> status = instance.AddDataApex(kActiveApexPackagesDataDir);
2458   if (!status.ok()) {
2459     LOG(ERROR) << "Failed to collect data APEX files : " << status.error();
2460     return;
2461   }
2462 }
2463 
2464 /**
2465  * For every package X, there can be at most two APEX, pre-installed vs
2466  * installed on data. We usually select only one of these APEX for each package
2467  * based on the following conditions:
2468  *   - Package X must be pre-installed on one of the built-in directories.
2469  *   - If there are multiple APEX, we select the one with highest version.
2470  *   - If there are multiple with same version, we give priority to APEX on
2471  * /data partition.
2472  *
2473  * Typically, only one APEX is activated for each package, but APEX that provide
2474  * shared libs are exceptions. We have to activate both APEX for them.
2475  *
2476  * @param all_apex all the APEX grouped by their package name
2477  * @return list of ApexFile that needs to be activated
2478  */
SelectApexForActivation(const std::unordered_map<std::string,std::vector<ApexFileRef>> & all_apex,const ApexFileRepository & instance)2479 std::vector<ApexFileRef> SelectApexForActivation(
2480     const std::unordered_map<std::string, std::vector<ApexFileRef>>& all_apex,
2481     const ApexFileRepository& instance) {
2482   LOG(INFO) << "Selecting APEX for activation";
2483   std::vector<ApexFileRef> activation_list;
2484   // For every package X, select which APEX to activate
2485   for (auto& apex_it : all_apex) {
2486     const std::string& package_name = apex_it.first;
2487     const std::vector<ApexFileRef>& apex_files = apex_it.second;
2488 
2489     if (apex_files.size() > 2 || apex_files.size() == 0) {
2490       LOG(FATAL) << "Unexpectedly found more than two versions or none for "
2491                     "APEX package "
2492                  << package_name;
2493       continue;
2494     }
2495 
2496     // The package must have a pre-installed version before we consider it for
2497     // activation
2498     if (!instance.HasPreInstalledVersion(package_name)) {
2499       LOG(INFO) << "Package " << package_name << " is not pre-installed";
2500       continue;
2501     }
2502 
2503     if (apex_files.size() == 1) {
2504       LOG(DEBUG) << "Selecting the only APEX: " << package_name << " "
2505                  << apex_files[0].get().GetPath();
2506       activation_list.emplace_back(apex_files[0]);
2507       continue;
2508     }
2509 
2510     // TODO(b/179497746): Now that we are dealing with list of reference, this
2511     //  selection process can be simplified by sorting the vector.
2512 
2513     // Given an APEX A and the version of the other APEX B, should we activate
2514     // it?
2515     auto select_apex = [&instance, &activation_list](
2516                            const ApexFileRef& a_ref,
2517                            const int version_b) mutable {
2518       const ApexFile& a = a_ref.get();
2519       // If A has higher version than B, then it should be activated
2520       const bool higher_version = a.GetManifest().version() > version_b;
2521       // If A has same version as B, then data version should get activated
2522       const bool same_version_priority_to_data =
2523           a.GetManifest().version() == version_b &&
2524           !instance.IsPreInstalledApex(a);
2525 
2526       // APEX that provides shared library are special:
2527       //  - if preinstalled version is lower than data version, both versions
2528       //    are activated.
2529       //  - if preinstalled version is equal to data version, data version only
2530       //    is activated.
2531       //  - if preinstalled version is higher than data version, preinstalled
2532       //    version only is activated.
2533       const bool provides_shared_apex_libs =
2534           a.GetManifest().providesharedapexlibs();
2535       bool activate = false;
2536       if (provides_shared_apex_libs) {
2537         // preinstalled version gets activated in all cases except when same
2538         // version as data.
2539         if (instance.IsPreInstalledApex(a) &&
2540             (a.GetManifest().version() != version_b)) {
2541           LOG(DEBUG) << "Activating preinstalled shared libs APEX: "
2542                      << a.GetManifest().name() << " " << a.GetPath();
2543           activate = true;
2544         }
2545         // data version gets activated in all cases except when its version
2546         // is lower than preinstalled version.
2547         if (!instance.IsPreInstalledApex(a) &&
2548             (a.GetManifest().version() >= version_b)) {
2549           LOG(DEBUG) << "Activating shared libs APEX: "
2550                      << a.GetManifest().name() << " " << a.GetPath();
2551           activate = true;
2552         }
2553       } else if (higher_version || same_version_priority_to_data) {
2554         LOG(DEBUG) << "Selecting between two APEX: " << a.GetManifest().name()
2555                    << " " << a.GetPath();
2556         activate = true;
2557       }
2558       if (activate) {
2559         activation_list.emplace_back(a_ref);
2560       }
2561     };
2562     const int version_0 = apex_files[0].get().GetManifest().version();
2563     const int version_1 = apex_files[1].get().GetManifest().version();
2564     select_apex(apex_files[0].get(), version_1);
2565     select_apex(apex_files[1].get(), version_0);
2566   }
2567   return activation_list;
2568 }
2569 
2570 namespace {
2571 
OpenAndValidateDecompressedApex(const ApexFile & capex,const std::string & apex_path)2572 Result<ApexFile> OpenAndValidateDecompressedApex(const ApexFile& capex,
2573                                                  const std::string& apex_path) {
2574   auto apex = ApexFile::Open(apex_path);
2575   if (!apex.ok()) {
2576     return Error() << "Failed to open decompressed APEX: " << apex.error();
2577   }
2578   auto result = ValidateDecompressedApex(capex, *apex);
2579   if (!result.ok()) {
2580     return result.error();
2581   }
2582   return std::move(*apex);
2583 }
2584 
2585 // Process a single compressed APEX. Returns the decompressed APEX if
2586 // successful.
ProcessCompressedApex(const ApexFile & capex,bool is_ota_chroot)2587 Result<ApexFile> ProcessCompressedApex(const ApexFile& capex,
2588                                        bool is_ota_chroot) {
2589   LOG(INFO) << "Processing compressed APEX " << capex.GetPath();
2590   const auto decompressed_apex_path =
2591       StringPrintf("%s/%s%s", gConfig->decompression_dir,
2592                    GetPackageId(capex.GetManifest()).c_str(),
2593                    kDecompressedApexPackageSuffix);
2594   // Check if decompressed APEX already exist
2595   auto decompressed_path_exists = PathExists(decompressed_apex_path);
2596   if (decompressed_path_exists.ok() && *decompressed_path_exists) {
2597     // Check if existing decompressed APEX is valid
2598     auto result =
2599         OpenAndValidateDecompressedApex(capex, decompressed_apex_path);
2600     if (result.ok()) {
2601       LOG(INFO) << "Skipping decompression for " << capex.GetPath();
2602       return result;
2603     }
2604     // Do not delete existing decompressed APEX when is_ota_chroot is true
2605     if (!is_ota_chroot) {
2606       // Existing decompressed APEX is not valid. We will have to redecompress
2607       LOG(WARNING) << "Existing decompressed APEX is invalid: "
2608                    << result.error();
2609       RemoveFileIfExists(decompressed_apex_path);
2610     }
2611   }
2612 
2613   // We can also reuse existing OTA APEX, depending on situation
2614   auto ota_apex_path = StringPrintf("%s/%s%s", gConfig->decompression_dir,
2615                                     GetPackageId(capex.GetManifest()).c_str(),
2616                                     kOtaApexPackageSuffix);
2617   auto ota_path_exists = PathExists(ota_apex_path);
2618   if (ota_path_exists.ok() && *ota_path_exists) {
2619     if (is_ota_chroot) {
2620       // During ota_chroot, we try to reuse ota APEX as is
2621       auto result = OpenAndValidateDecompressedApex(capex, ota_apex_path);
2622       if (result.ok()) {
2623         LOG(INFO) << "Skipping decompression for " << ota_apex_path;
2624         return result;
2625       }
2626       // Existing ota_apex is not valid. We will have to decompress
2627       LOG(WARNING) << "Existing decompressed OTA APEX is invalid: "
2628                    << result.error();
2629       RemoveFileIfExists(ota_apex_path);
2630     } else {
2631       // During boot, we can avoid decompression by renaming OTA apex
2632       // to expected decompressed_apex path
2633 
2634       // Check if ota_apex APEX is valid
2635       auto result = OpenAndValidateDecompressedApex(capex, ota_apex_path);
2636       if (result.ok()) {
2637         // ota_apex matches with capex. Slot has been switched.
2638 
2639         // Rename ota_apex to expected decompressed_apex path
2640         if (rename(ota_apex_path.c_str(), decompressed_apex_path.c_str()) ==
2641             0) {
2642           // Check if renamed decompressed APEX is valid
2643           result =
2644               OpenAndValidateDecompressedApex(capex, decompressed_apex_path);
2645           if (result.ok()) {
2646             LOG(INFO) << "Renamed " << ota_apex_path << " to "
2647                       << decompressed_apex_path;
2648             return result;
2649           }
2650           // Renamed ota_apex is not valid. We will have to decompress
2651           LOG(WARNING) << "Renamed decompressed APEX from " << ota_apex_path
2652                        << " to " << decompressed_apex_path
2653                        << " is invalid: " << result.error();
2654           RemoveFileIfExists(decompressed_apex_path);
2655         } else {
2656           PLOG(ERROR) << "Failed to rename file " << ota_apex_path;
2657         }
2658       }
2659     }
2660   }
2661 
2662   // There was no way to avoid decompression
2663 
2664   // Clean up reserved space before decompressing capex
2665   if (auto ret = DeleteDirContent(gConfig->ota_reserved_dir); !ret.ok()) {
2666     LOG(ERROR) << "Failed to clean up reserved space: " << ret.error();
2667   }
2668 
2669   auto decompression_dest =
2670       is_ota_chroot ? ota_apex_path : decompressed_apex_path;
2671   auto scope_guard = android::base::make_scope_guard(
2672       [&]() { RemoveFileIfExists(decompression_dest); });
2673 
2674   auto decompression_result = capex.Decompress(decompression_dest);
2675   if (!decompression_result.ok()) {
2676     return Error() << "Failed to decompress : " << capex.GetPath().c_str()
2677                    << " " << decompression_result.error();
2678   }
2679 
2680   // Fix label of decompressed file
2681   auto restore = RestoreconPath(decompression_dest);
2682   if (!restore.ok()) {
2683     return restore.error();
2684   }
2685 
2686   // Validate the newly decompressed APEX
2687   auto return_apex = OpenAndValidateDecompressedApex(capex, decompression_dest);
2688   if (!return_apex.ok()) {
2689     return Error() << "Failed to decompress CAPEX: " << return_apex.error();
2690   }
2691 
2692   /// Release compressed blocks in case decompression_dest is on f2fs-compressed
2693   // filesystem.
2694   ReleaseF2fsCompressedBlocks(decompression_dest);
2695 
2696   scope_guard.Disable();
2697   return return_apex;
2698 }
2699 }  // namespace
2700 
2701 /**
2702  * For each compressed APEX, decompress it to kApexDecompressedDir
2703  * and return the decompressed APEX.
2704  *
2705  * Returns list of decompressed APEX.
2706  */
ProcessCompressedApex(const std::vector<ApexFileRef> & compressed_apex,bool is_ota_chroot)2707 std::vector<ApexFile> ProcessCompressedApex(
2708     const std::vector<ApexFileRef>& compressed_apex, bool is_ota_chroot) {
2709   LOG(INFO) << "Processing compressed APEX";
2710 
2711   std::vector<ApexFile> decompressed_apex_list;
2712   for (const ApexFile& capex : compressed_apex) {
2713     if (!capex.IsCompressed()) {
2714       continue;
2715     }
2716 
2717     auto decompressed_apex = ProcessCompressedApex(capex, is_ota_chroot);
2718     if (decompressed_apex.ok()) {
2719       decompressed_apex_list.emplace_back(std::move(*decompressed_apex));
2720       continue;
2721     }
2722     LOG(ERROR) << "Failed to process compressed APEX: "
2723                << decompressed_apex.error();
2724   }
2725   return std::move(decompressed_apex_list);
2726 }
2727 
ValidateDecompressedApex(const ApexFile & capex,const ApexFile & apex)2728 Result<void> ValidateDecompressedApex(const ApexFile& capex,
2729                                       const ApexFile& apex) {
2730   // Decompressed APEX must have same public key as CAPEX
2731   if (capex.GetBundledPublicKey() != apex.GetBundledPublicKey()) {
2732     return Error()
2733            << "Public key of compressed APEX is different than original "
2734            << "APEX for " << apex.GetPath();
2735   }
2736   // Decompressed APEX must have same version as CAPEX
2737   if (capex.GetManifest().version() != apex.GetManifest().version()) {
2738     return Error()
2739            << "Compressed APEX has different version than decompressed APEX "
2740            << apex.GetPath();
2741   }
2742   // Decompressed APEX must have same root digest as what is stored in CAPEX
2743   auto apex_verity = apex.VerifyApexVerity(apex.GetBundledPublicKey());
2744   if (!apex_verity.ok() ||
2745       capex.GetManifest().capexmetadata().originalapexdigest() !=
2746           apex_verity->root_digest) {
2747     return Error() << "Root digest of " << apex.GetPath()
2748                    << " does not match with"
2749                    << " expected root digest in " << capex.GetPath();
2750   }
2751   return {};
2752 }
2753 
OnStart()2754 void OnStart() {
2755   LOG(INFO) << "Marking APEXd as starting";
2756   auto time_started = boot_clock::now();
2757   if (!SetProperty(gConfig->apex_status_sysprop, kApexStatusStarting)) {
2758     PLOG(ERROR) << "Failed to set " << gConfig->apex_status_sysprop << " to "
2759                 << kApexStatusStarting;
2760   }
2761 
2762   // Ask whether we should revert any active sessions; this can happen if
2763   // we've exceeded the retry count on a device that supports filesystem
2764   // checkpointing.
2765   if (gSupportsFsCheckpoints) {
2766     Result<bool> needs_revert = gVoldService->NeedsRollback();
2767     if (!needs_revert.ok()) {
2768       LOG(ERROR) << "Failed to check if we need a revert: "
2769                  << needs_revert.error();
2770     } else if (*needs_revert) {
2771       LOG(INFO) << "Exceeded number of session retries ("
2772                 << kNumRetriesWhenCheckpointingEnabled
2773                 << "). Starting a revert";
2774       RevertActiveSessions("", "");
2775     }
2776   }
2777 
2778   // Create directories for APEX shared libraries.
2779   auto sharedlibs_apex_dir = CreateSharedLibsApexDir();
2780   if (!sharedlibs_apex_dir.ok()) {
2781     LOG(ERROR) << sharedlibs_apex_dir.error();
2782   }
2783 
2784   // If there is any new apex to be installed on /data/app-staging, hardlink
2785   // them to /data/apex/active first.
2786   ScanStagedSessionsDirAndStage();
2787   if (auto status = ApexFileRepository::GetInstance().AddDataApex(
2788           gConfig->active_apex_data_dir);
2789       !status.ok()) {
2790     LOG(ERROR) << "Failed to collect data APEX files : " << status.error();
2791   }
2792 
2793   auto status = ResumeRevertIfNeeded();
2794   if (!status.ok()) {
2795     LOG(ERROR) << "Failed to resume revert : " << status.error();
2796   }
2797 
2798   // Group every ApexFile on device by name
2799   const auto& instance = ApexFileRepository::GetInstance();
2800   const auto& all_apex = instance.AllApexFilesByName();
2801   // There can be multiple APEX packages with package name X. Determine which
2802   // one to activate.
2803   auto activation_list = SelectApexForActivation(all_apex, instance);
2804 
2805   // Process compressed APEX, if any
2806   std::vector<ApexFileRef> compressed_apex;
2807   for (auto it = activation_list.begin(); it != activation_list.end();) {
2808     if (it->get().IsCompressed()) {
2809       compressed_apex.emplace_back(*it);
2810       it = activation_list.erase(it);
2811     } else {
2812       it++;
2813     }
2814   }
2815   std::vector<ApexFile> decompressed_apex;
2816   if (!compressed_apex.empty()) {
2817     decompressed_apex =
2818         ProcessCompressedApex(compressed_apex, /* is_ota_chroot= */ false);
2819     for (const ApexFile& apex_file : decompressed_apex) {
2820       activation_list.emplace_back(std::cref(apex_file));
2821     }
2822   }
2823 
2824   int data_apex_cnt = std::count_if(
2825       activation_list.begin(), activation_list.end(), [](const auto& a) {
2826         return !ApexFileRepository::GetInstance().IsPreInstalledApex(a.get());
2827       });
2828   if (data_apex_cnt > 0) {
2829     Result<void> pre_allocate = loop::PreAllocateLoopDevices(data_apex_cnt);
2830     if (!pre_allocate.ok()) {
2831       LOG(ERROR) << "Failed to pre-allocate loop devices : "
2832                  << pre_allocate.error();
2833     }
2834   }
2835 
2836   // TODO(b/179248390): activate parallelly if possible
2837   auto activate_status =
2838       ActivateApexPackages(activation_list, /* is_ota_chroot= */ false);
2839   if (!activate_status.ok()) {
2840     std::string error_message =
2841         StringPrintf("Failed to activate packages: %s",
2842                      activate_status.error().message().c_str());
2843     LOG(ERROR) << error_message;
2844     Result<void> revert_status =
2845         RevertActiveSessionsAndReboot("", error_message);
2846     if (!revert_status.ok()) {
2847       LOG(ERROR) << "Failed to revert : " << revert_status.error();
2848     }
2849     auto retry_status = ActivateMissingApexes(activation_list,
2850                                               /* is_ota_chroot= */ false);
2851     if (!retry_status.ok()) {
2852       LOG(ERROR) << retry_status.error();
2853     }
2854   }
2855 
2856   // Now that APEXes are mounted, snapshot or restore DE_sys data.
2857   SnapshotOrRestoreDeSysData();
2858 
2859   auto time_elapsed = std::chrono::duration_cast<std::chrono::milliseconds>(
2860     boot_clock::now() - time_started).count();
2861   LOG(INFO) << "OnStart done, duration=" << time_elapsed;
2862 }
2863 
OnAllPackagesActivated(bool is_bootstrap)2864 void OnAllPackagesActivated(bool is_bootstrap) {
2865   auto result = EmitApexInfoList(is_bootstrap);
2866   if (!result.ok()) {
2867     LOG(ERROR) << "cannot emit apex info list: " << result.error();
2868   }
2869 
2870   // Because apexd in bootstrap mode runs in blocking mode
2871   // we don't have to set as activated.
2872   if (is_bootstrap) {
2873     return;
2874   }
2875 
2876   // Set a system property to let other components know that APEXs are
2877   // activated, but are not yet ready to be used. init is expected to wait
2878   // for this status before performing configuration based on activated
2879   // apexes. Other components that need to use APEXs should wait for the
2880   // ready state instead.
2881   LOG(INFO) << "Marking APEXd as activated";
2882   if (!SetProperty(gConfig->apex_status_sysprop, kApexStatusActivated)) {
2883     PLOG(ERROR) << "Failed to set " << gConfig->apex_status_sysprop << " to "
2884                 << kApexStatusActivated;
2885   }
2886 }
2887 
OnAllPackagesReady()2888 void OnAllPackagesReady() {
2889   // Set a system property to let other components know that APEXs are
2890   // correctly mounted and ready to be used. Before using any file from APEXs,
2891   // they can query this system property to ensure that they are okay to
2892   // access. Or they may have a on-property trigger to delay a task until
2893   // APEXs become ready.
2894   LOG(INFO) << "Marking APEXd as ready";
2895   if (!SetProperty(gConfig->apex_status_sysprop, kApexStatusReady)) {
2896     PLOG(ERROR) << "Failed to set " << gConfig->apex_status_sysprop << " to "
2897                 << kApexStatusReady;
2898   }
2899 }
2900 
SubmitStagedSession(const int session_id,const std::vector<int> & child_session_ids,const bool has_rollback_enabled,const bool is_rollback,const int rollback_id)2901 Result<std::vector<ApexFile>> SubmitStagedSession(
2902     const int session_id, const std::vector<int>& child_session_ids,
2903     const bool has_rollback_enabled, const bool is_rollback,
2904     const int rollback_id) {
2905   if (session_id == 0) {
2906     return Error() << "Session id was not provided.";
2907   }
2908 
2909   if (!gSupportsFsCheckpoints) {
2910     Result<void> backup_status = BackupActivePackages();
2911     if (!backup_status.ok()) {
2912       // Do not proceed with staged install without backup
2913       return backup_status.error();
2914     }
2915   }
2916 
2917   std::vector<int> ids_to_scan;
2918   if (!child_session_ids.empty()) {
2919     ids_to_scan = child_session_ids;
2920   } else {
2921     ids_to_scan = {session_id};
2922   }
2923 
2924   std::vector<ApexFile> ret;
2925   auto guard = android::base::make_scope_guard([&ret]() {
2926     for (const auto& apex : ret) {
2927       apexd_private::UnmountTempMount(apex);
2928     }
2929   });
2930   for (int id_to_scan : ids_to_scan) {
2931     auto verified = VerifySessionDir(id_to_scan);
2932     if (!verified.ok()) {
2933       return verified.error();
2934     }
2935     ret.push_back(std::move(*verified));
2936   }
2937 
2938   // Run preinstall, if necessary.
2939   Result<void> preinstall_status = PreinstallPackages(ret);
2940   if (!preinstall_status.ok()) {
2941     return preinstall_status.error();
2942   }
2943 
2944   if (has_rollback_enabled && is_rollback) {
2945     return Error() << "Cannot set session " << session_id << " as both a"
2946                    << " rollback and enabled for rollback.";
2947   }
2948 
2949   auto session = ApexSession::CreateSession(session_id);
2950   if (!session.ok()) {
2951     return session.error();
2952   }
2953   (*session).SetChildSessionIds(child_session_ids);
2954   std::string build_fingerprint = GetProperty(kBuildFingerprintSysprop, "");
2955   (*session).SetBuildFingerprint(build_fingerprint);
2956   session->SetHasRollbackEnabled(has_rollback_enabled);
2957   session->SetIsRollback(is_rollback);
2958   session->SetRollbackId(rollback_id);
2959   Result<void> commit_status =
2960       (*session).UpdateStateAndCommit(SessionState::VERIFIED);
2961   if (!commit_status.ok()) {
2962     return commit_status.error();
2963   }
2964 
2965   for (const auto& apex : ret) {
2966     // Release compressed blocks in case /data is f2fs-compressed filesystem.
2967     ReleaseF2fsCompressedBlocks(apex.GetPath());
2968   }
2969 
2970   return ret;
2971 }
2972 
MarkStagedSessionReady(const int session_id)2973 Result<void> MarkStagedSessionReady(const int session_id) {
2974   auto session = ApexSession::GetSession(session_id);
2975   if (!session.ok()) {
2976     return session.error();
2977   }
2978   // We should only accept sessions in SessionState::VERIFIED or
2979   // SessionState::STAGED state. In the SessionState::STAGED case, this
2980   // function is effectively a no-op.
2981   auto session_state = (*session).GetState();
2982   if (session_state == SessionState::STAGED) {
2983     return {};
2984   }
2985   if (session_state == SessionState::VERIFIED) {
2986     return (*session).UpdateStateAndCommit(SessionState::STAGED);
2987   }
2988   return Error() << "Invalid state for session " << session_id
2989                  << ". Cannot mark it as ready.";
2990 }
2991 
MarkStagedSessionSuccessful(const int session_id)2992 Result<void> MarkStagedSessionSuccessful(const int session_id) {
2993   auto session = ApexSession::GetSession(session_id);
2994   if (!session.ok()) {
2995     return session.error();
2996   }
2997   // Only SessionState::ACTIVATED or SessionState::SUCCESS states are accepted.
2998   // In the SessionState::SUCCESS state, this function is a no-op.
2999   if (session->GetState() == SessionState::SUCCESS) {
3000     return {};
3001   } else if (session->GetState() == SessionState::ACTIVATED) {
3002     auto cleanup_status = DeleteBackup();
3003     if (!cleanup_status.ok()) {
3004       return Error() << "Failed to mark session " << *session
3005                      << " as successful : " << cleanup_status.error();
3006     }
3007     if (session->IsRollback() && !gSupportsFsCheckpoints) {
3008       DeleteDePreRestoreSnapshots(*session);
3009     }
3010     return session->UpdateStateAndCommit(SessionState::SUCCESS);
3011   } else {
3012     return Error() << "Session " << *session << " can not be marked successful";
3013   }
3014 }
3015 
3016 // Removes APEXes on /data that have not been activated
RemoveInactiveDataApex()3017 void RemoveInactiveDataApex() {
3018   std::vector<std::string> all_apex_files;
3019   Result<std::vector<std::string>> active_apex =
3020       FindFilesBySuffix(gConfig->active_apex_data_dir, {kApexPackageSuffix});
3021   if (!active_apex.ok()) {
3022     LOG(ERROR) << "Failed to scan " << gConfig->active_apex_data_dir << " : "
3023                << active_apex.error();
3024   } else {
3025     all_apex_files.insert(all_apex_files.end(),
3026                           std::make_move_iterator(active_apex->begin()),
3027                           std::make_move_iterator(active_apex->end()));
3028   }
3029   Result<std::vector<std::string>> decompressed_apex = FindFilesBySuffix(
3030       gConfig->decompression_dir, {kDecompressedApexPackageSuffix});
3031   if (!decompressed_apex.ok()) {
3032     LOG(ERROR) << "Failed to scan " << gConfig->decompression_dir << " : "
3033                << decompressed_apex.error();
3034   } else {
3035     all_apex_files.insert(all_apex_files.end(),
3036                           std::make_move_iterator(decompressed_apex->begin()),
3037                           std::make_move_iterator(decompressed_apex->end()));
3038   }
3039 
3040   for (const auto& path : all_apex_files) {
3041     if (!apexd_private::IsMounted(path)) {
3042       LOG(INFO) << "Removing inactive data APEX " << path;
3043       if (unlink(path.c_str()) != 0) {
3044         PLOG(ERROR) << "Failed to unlink inactive data APEX " << path;
3045       }
3046     }
3047   }
3048 }
3049 
BootCompletedCleanup()3050 void BootCompletedCleanup() {
3051   RemoveInactiveDataApex();
3052   ApexSession::DeleteFinalizedSessions();
3053 }
3054 
UnmountAll()3055 int UnmountAll() {
3056   gMountedApexes.PopulateFromMounts(gConfig->active_apex_data_dir,
3057                                     gConfig->decompression_dir,
3058                                     gConfig->apex_hash_tree_dir);
3059   int ret = 0;
3060   gMountedApexes.ForallMountedApexes([&](const std::string& /*package*/,
3061                                          const MountedApexData& data,
3062                                          bool latest) {
3063     LOG(INFO) << "Unmounting " << data.full_path << " mounted on "
3064               << data.mount_point;
3065     auto apex = ApexFile::Open(data.full_path);
3066     if (!apex.ok()) {
3067       LOG(ERROR) << "Failed to open " << data.full_path << " : "
3068                  << apex.error();
3069       ret = 1;
3070       return;
3071     }
3072     if (latest && !apex->GetManifest().providesharedapexlibs()) {
3073       auto pos = data.mount_point.find('@');
3074       CHECK(pos != std::string::npos);
3075       std::string bind_mount = data.mount_point.substr(0, pos);
3076       if (umount2(bind_mount.c_str(), UMOUNT_NOFOLLOW) != 0) {
3077         PLOG(ERROR) << "Failed to unmount bind-mount " << bind_mount;
3078         ret = 1;
3079       }
3080     }
3081     if (auto status = Unmount(data, /* deferred= */ false); !status.ok()) {
3082       LOG(ERROR) << "Failed to unmount " << data.mount_point << " : "
3083                  << status.error();
3084       ret = 1;
3085     }
3086   });
3087   return ret;
3088 }
3089 
RemountPackages()3090 Result<void> RemountPackages() {
3091   std::vector<std::string> apexes;
3092   gMountedApexes.ForallMountedApexes([&apexes](const std::string& /*package*/,
3093                                                const MountedApexData& data,
3094                                                bool latest) {
3095     if (latest) {
3096       LOG(DEBUG) << "Found active APEX " << data.full_path;
3097       apexes.push_back(data.full_path);
3098     }
3099   });
3100   std::vector<std::string> failed;
3101   for (const std::string& apex : apexes) {
3102     // Since this is only used during development workflow, we are trying to
3103     // remount as many apexes as possible instead of failing fast.
3104     if (auto ret = RemountApexFile(apex); !ret.ok()) {
3105       LOG(WARNING) << "Failed to remount " << apex << " : " << ret.error();
3106       failed.emplace_back(apex);
3107     }
3108   }
3109   static constexpr const char* kErrorMessage =
3110       "Failed to remount following APEX packages, hence previous versions of "
3111       "them are still active. If APEX you are developing is in this list, it "
3112       "means that there still are alive processes holding a reference to the "
3113       "previous version of your APEX.\n";
3114   if (!failed.empty()) {
3115     return Error() << kErrorMessage << "Failed (" << failed.size() << ") "
3116                    << "APEX packages: [" << Join(failed, ',') << "]";
3117   }
3118   return {};
3119 }
3120 
3121 // Given a single new APEX incoming via OTA, should we allocate space for it?
ShouldAllocateSpaceForDecompression(const std::string & new_apex_name,const int64_t new_apex_version,const ApexFileRepository & instance)3122 Result<bool> ShouldAllocateSpaceForDecompression(
3123     const std::string& new_apex_name, const int64_t new_apex_version,
3124     const ApexFileRepository& instance) {
3125   // An apex at most will have two versions on device: pre-installed and data.
3126 
3127   // Check if there is a pre-installed version for the new apex.
3128   if (!instance.HasPreInstalledVersion(new_apex_name)) {
3129     // We are introducing a new APEX that doesn't exist at all
3130     return true;
3131   }
3132 
3133   // Check if there is a data apex
3134   if (!instance.HasDataVersion(new_apex_name)) {
3135     // Data apex doesn't exist. Compare against pre-installed APEX
3136     auto pre_installed_apex = instance.GetPreInstalledApex(new_apex_name);
3137     if (!pre_installed_apex.get().IsCompressed()) {
3138       // Compressing an existing uncompressed system APEX.
3139       return true;
3140     }
3141     // Since there is no data apex, it means device is using the compressed
3142     // pre-installed version. If new apex has higher version, we are upgrading
3143     // the pre-install version and if new apex has lower version, we are
3144     // downgrading it. So the current decompressed apex should be replaced
3145     // with the new decompressed apex to reflect that.
3146     const int64_t pre_installed_version =
3147         instance.GetPreInstalledApex(new_apex_name)
3148             .get()
3149             .GetManifest()
3150             .version();
3151     return new_apex_version != pre_installed_version;
3152   }
3153 
3154   // From here on, data apex exists. So we should compare directly against data
3155   // apex.
3156   auto data_apex = instance.GetDataApex(new_apex_name);
3157   // Compare the data apex version with new apex
3158   const int64_t data_version = data_apex.get().GetManifest().version();
3159   // We only decompress the new_apex if it has higher version than data apex.
3160   return new_apex_version > data_version;
3161 }
3162 
CollectApexInfoList(std::ostream & os,const std::vector<ApexFile> & active_apexs,const std::vector<ApexFile> & inactive_apexs)3163 void CollectApexInfoList(std::ostream& os,
3164                          const std::vector<ApexFile>& active_apexs,
3165                          const std::vector<ApexFile>& inactive_apexs) {
3166   std::vector<com::android::apex::ApexInfo> apex_infos;
3167 
3168   auto convert_to_autogen = [&apex_infos](const ApexFile& apex,
3169                                           bool is_active) {
3170     auto& instance = ApexFileRepository::GetInstance();
3171 
3172     auto preinstalled_path =
3173         instance.GetPreinstalledPath(apex.GetManifest().name());
3174     std::optional<std::string> preinstalled_module_path;
3175     if (preinstalled_path.ok()) {
3176       preinstalled_module_path = *preinstalled_path;
3177     }
3178 
3179     std::optional<int64_t> mtime;
3180     struct stat stat_buf;
3181     if (stat(apex.GetPath().c_str(), &stat_buf) == 0) {
3182       mtime.emplace(stat_buf.st_mtime);
3183     } else {
3184       PLOG(WARNING) << "Failed to stat " << apex.GetPath();
3185     }
3186     com::android::apex::ApexInfo apex_info(
3187         apex.GetManifest().name(), apex.GetPath(), preinstalled_module_path,
3188         apex.GetManifest().version(), apex.GetManifest().versionname(),
3189         instance.IsPreInstalledApex(apex), is_active, mtime);
3190     apex_infos.emplace_back(apex_info);
3191   };
3192   for (const auto& apex : active_apexs) {
3193     convert_to_autogen(apex, /* is_active= */ true);
3194   }
3195   for (const auto& apex : inactive_apexs) {
3196     convert_to_autogen(apex, /* is_active= */ false);
3197   }
3198   com::android::apex::ApexInfoList apex_info_list(apex_infos);
3199   com::android::apex::write(os, apex_info_list);
3200 }
3201 
3202 // Reserve |size| bytes in |dest_dir| by creating a zero-filled file.
3203 // Also, we always clean up ota_apex that has been processed as
3204 // part of pre-reboot decompression whenever we reserve space.
ReserveSpaceForCompressedApex(int64_t size,const std::string & dest_dir)3205 Result<void> ReserveSpaceForCompressedApex(int64_t size,
3206                                            const std::string& dest_dir) {
3207   if (size < 0) {
3208     return Error() << "Cannot reserve negative byte of space";
3209   }
3210 
3211   // Since we are reserving space, then we must be preparing for a new OTA.
3212   // Clean up any processed ota_apex from previous OTA.
3213   auto ota_apex_files =
3214       FindFilesBySuffix(gConfig->decompression_dir, {kOtaApexPackageSuffix});
3215   if (!ota_apex_files.ok()) {
3216     return Error() << "Failed to clean up ota_apex: " << ota_apex_files.error();
3217   }
3218   for (const std::string& ota_apex : *ota_apex_files) {
3219     RemoveFileIfExists(ota_apex);
3220   }
3221 
3222   auto file_path = StringPrintf("%s/full.tmp", dest_dir.c_str());
3223   if (size == 0) {
3224     LOG(INFO) << "Cleaning up reserved space for compressed APEX";
3225     // Ota is being cancelled. Clean up reserved space
3226     RemoveFileIfExists(file_path);
3227     return {};
3228   }
3229 
3230   LOG(INFO) << "Reserving " << size << " bytes for compressed APEX";
3231   unique_fd dest_fd(
3232       open(file_path.c_str(), O_WRONLY | O_CLOEXEC | O_CREAT, 0644));
3233   if (dest_fd.get() == -1) {
3234     return ErrnoError() << "Failed to open file for reservation "
3235                         << file_path.c_str();
3236   }
3237 
3238   // Resize to required size
3239   std::error_code ec;
3240   std::filesystem::resize_file(file_path, size, ec);
3241   if (ec) {
3242     RemoveFileIfExists(file_path);
3243     return ErrnoError() << "Failed to resize file " << file_path.c_str()
3244                         << " : " << ec.message();
3245   }
3246 
3247   return {};
3248 }
3249 
OnOtaChrootBootstrap()3250 int OnOtaChrootBootstrap() {
3251   auto& instance = ApexFileRepository::GetInstance();
3252   if (auto status = instance.AddPreInstalledApex(gConfig->apex_built_in_dirs);
3253       !status.ok()) {
3254     LOG(ERROR) << "Failed to scan pre-installed apexes from "
3255                << Join(gConfig->apex_built_in_dirs, ',');
3256     return 1;
3257   }
3258   if (auto status = instance.AddDataApex(gConfig->active_apex_data_dir);
3259       !status.ok()) {
3260     LOG(ERROR) << "Failed to scan upgraded apexes from "
3261                << gConfig->active_apex_data_dir;
3262     // Failing to scan upgraded apexes is not fatal, since we can still try to
3263     // run otapreopt using only pre-installed apexes. Worst case, apps will be
3264     // re-optimized on next boot.
3265   }
3266 
3267   // Create directories for APEX shared libraries.
3268   if (auto status = CreateSharedLibsApexDir(); !status.ok()) {
3269     LOG(ERROR) << "Failed to create /apex/sharedlibs : " << status.ok();
3270     return 1;
3271   }
3272 
3273   auto activation_list =
3274       SelectApexForActivation(instance.AllApexFilesByName(), instance);
3275 
3276   // TODO(b/179497746): This is the third time we are duplicating this code
3277   // block. This will be easier to dedup once we start opening ApexFiles via
3278   // ApexFileRepository. That way, ProcessCompressedApex can return list of
3279   // ApexFileRef, instead of ApexFile.
3280 
3281   // Process compressed APEX, if any
3282   std::vector<ApexFileRef> compressed_apex;
3283   for (auto it = activation_list.begin(); it != activation_list.end();) {
3284     if (it->get().IsCompressed()) {
3285       compressed_apex.emplace_back(*it);
3286       it = activation_list.erase(it);
3287     } else {
3288       it++;
3289     }
3290   }
3291   std::vector<ApexFile> decompressed_apex;
3292   if (!compressed_apex.empty()) {
3293     decompressed_apex =
3294         ProcessCompressedApex(compressed_apex, /* is_ota_chroot= */ true);
3295 
3296     for (const ApexFile& apex_file : decompressed_apex) {
3297       activation_list.emplace_back(std::cref(apex_file));
3298     }
3299   }
3300 
3301   auto activate_status = ActivateApexPackages(activation_list,
3302                                               /* is_ota_chroot= */ true);
3303   if (!activate_status.ok()) {
3304     LOG(ERROR) << "Failed to activate apex packages : "
3305                << activate_status.error();
3306     auto retry_status = ActivateMissingApexes(activation_list,
3307                                               /* is_ota_chroot= */ true);
3308     if (!retry_status.ok()) {
3309       LOG(ERROR) << retry_status.error();
3310     }
3311   }
3312 
3313   // There are a bunch of places that are producing apex-info.xml file.
3314   // We should consolidate the logic in one function and make all other places
3315   // use it.
3316   auto active_apexes = GetActivePackages();
3317   std::vector<ApexFile> inactive_apexes = GetFactoryPackages();
3318   auto new_end = std::remove_if(
3319       inactive_apexes.begin(), inactive_apexes.end(),
3320       [&active_apexes](const ApexFile& apex) {
3321         return std::any_of(active_apexes.begin(), active_apexes.end(),
3322                            [&apex](const ApexFile& active_apex) {
3323                              return apex.GetPath() == active_apex.GetPath();
3324                            });
3325       });
3326   inactive_apexes.erase(new_end, inactive_apexes.end());
3327   std::stringstream xml;
3328   CollectApexInfoList(xml, active_apexes, inactive_apexes);
3329   std::string file_name = StringPrintf("%s/%s", kApexRoot, kApexInfoList);
3330   unique_fd fd(TEMP_FAILURE_RETRY(
3331       open(file_name.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0644)));
3332   if (fd.get() == -1) {
3333     PLOG(ERROR) << "Can't open " << file_name;
3334     return 1;
3335   }
3336 
3337   if (!android::base::WriteStringToFd(xml.str(), fd)) {
3338     PLOG(ERROR) << "Can't write to " << file_name;
3339     return 1;
3340   }
3341 
3342   fd.reset();
3343 
3344   if (auto status = RestoreconPath(file_name); !status.ok()) {
3345     LOG(ERROR) << "Failed to restorecon " << file_name << " : "
3346                << status.error();
3347     return 1;
3348   }
3349 
3350   return 0;
3351 }
3352 
OnOtaChrootBootstrapFlattenedApex()3353 int OnOtaChrootBootstrapFlattenedApex() {
3354   LOG(INFO) << "OnOtaChrootBootstrapFlattenedApex";
3355 
3356   std::vector<com::android::apex::ApexInfo> apex_infos;
3357 
3358   for (const std::string& dir : gConfig->apex_built_in_dirs) {
3359     LOG(INFO) << "Scanning " << dir;
3360     auto dir_content = ReadDir(dir, [](const auto& entry) {
3361       std::error_code ec;
3362       return entry.is_directory(ec);
3363     });
3364 
3365     if (!dir_content.ok()) {
3366       LOG(ERROR) << "Failed to scan " << dir << " : " << dir_content.error();
3367       continue;
3368     }
3369 
3370     // Sort to make sure that /apex/apex-info-list.xml generation doesn't depend
3371     // on the unstable directory scan.
3372     std::vector<std::string> entries = std::move(*dir_content);
3373     std::sort(entries.begin(), entries.end());
3374 
3375     for (const std::string& apex_dir : entries) {
3376       std::string manifest_file = apex_dir + "/" + kManifestFilenamePb;
3377       if (access(manifest_file.c_str(), F_OK) != 0) {
3378         PLOG(ERROR) << "Failed to access " << manifest_file;
3379         continue;
3380       }
3381 
3382       auto manifest = ReadManifest(manifest_file);
3383       if (!manifest.ok()) {
3384         LOG(ERROR) << "Failed to read apex manifest from " << manifest_file
3385                    << " : " << manifest.error();
3386         continue;
3387       }
3388 
3389       std::string mount_point = std::string(kApexRoot) + "/" + manifest->name();
3390       if (mkdir(mount_point.c_str(), 0755) != 0) {
3391         PLOG(ERROR) << "Failed to mkdir " << mount_point;
3392         continue;
3393       }
3394 
3395       LOG(INFO) << "Bind mounting " << apex_dir << " onto " << mount_point;
3396       if (mount(apex_dir.c_str(), mount_point.c_str(), nullptr, MS_BIND,
3397                 nullptr) != 0) {
3398         PLOG(ERROR) << "Failed to bind mount " << apex_dir << " to "
3399                     << mount_point;
3400         continue;
3401       }
3402 
3403       apex_infos.emplace_back(manifest->name(), /* modulePath= */ apex_dir,
3404                               /* preinstalledModulePath= */ apex_dir,
3405                               /* versionCode= */ manifest->version(),
3406                               /* versionName= */ manifest->versionname(),
3407                               /* isFactory= */ true, /* isActive= */ true,
3408                               /* lastUpdateMillis= */ 0);
3409     }
3410   }
3411 
3412   std::string file_name = StringPrintf("%s/%s", kApexRoot, kApexInfoList);
3413   unique_fd fd(TEMP_FAILURE_RETRY(
3414       open(file_name.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0644)));
3415   if (fd.get() == -1) {
3416     PLOG(ERROR) << "Can't open " << file_name;
3417     return 1;
3418   }
3419 
3420   std::ostringstream xml;
3421   com::android::apex::ApexInfoList apex_info_list(apex_infos);
3422   com::android::apex::write(xml, apex_info_list);
3423   if (!android::base::WriteStringToFd(xml.str(), fd)) {
3424     PLOG(ERROR) << "Can't write to " << file_name;
3425     return 1;
3426   }
3427   fd.reset();
3428 
3429   if (auto status = RestoreconPath(file_name); !status.ok()) {
3430     LOG(ERROR) << "Failed to restorecon " << file_name << " : "
3431                << status.error();
3432     return 1;
3433   }
3434 
3435   return 0;
3436 }
3437 
GetApexDatabaseForTesting()3438 android::apex::MountedApexDatabase& GetApexDatabaseForTesting() {
3439   return gMountedApexes;
3440 }
3441 
3442 // A version of apex verification that happens during non-staged APEX
3443 // installation.
VerifyPackageNonStagedInstall(const ApexFile & apex_file)3444 Result<void> VerifyPackageNonStagedInstall(const ApexFile& apex_file) {
3445   const auto& verify_package_boot_status = VerifyPackageBoot(apex_file);
3446   if (!verify_package_boot_status.ok()) {
3447     return verify_package_boot_status;
3448   }
3449 
3450   auto check_fn = [&apex_file](const std::string& mount_point) -> Result<void> {
3451     auto dirs = GetSubdirs(mount_point);
3452     if (!dirs.ok()) {
3453       return dirs.error();
3454     }
3455     if (std::find(dirs->begin(), dirs->end(), mount_point + "/app") !=
3456         dirs->end()) {
3457       return Error() << apex_file.GetPath() << " contains app inside";
3458     }
3459     if (std::find(dirs->begin(), dirs->end(), mount_point + "/priv-app") !=
3460         dirs->end()) {
3461       return Error() << apex_file.GetPath() << " contains priv-app inside";
3462     }
3463     return Result<void>{};
3464   };
3465   return RunVerifyFnInsideTempMount(apex_file, check_fn, true);
3466 }
3467 
CheckSupportsNonStagedInstall(const ApexFile & cur_apex,const ApexFile & new_apex)3468 Result<void> CheckSupportsNonStagedInstall(const ApexFile& cur_apex,
3469                                            const ApexFile& new_apex) {
3470   const auto& cur_manifest = cur_apex.GetManifest();
3471   const auto& new_manifest = new_apex.GetManifest();
3472 
3473   if (!new_manifest.supportsrebootlessupdate()) {
3474     return Error() << new_apex.GetPath()
3475                    << " does not support non-staged update";
3476   }
3477 
3478   // Check if update will impact linkerconfig.
3479 
3480   // Updates to shared libs APEXes must be done via staged install flow.
3481   if (new_manifest.providesharedapexlibs()) {
3482     return Error() << new_apex.GetPath() << " is a shared libs APEX";
3483   }
3484 
3485   // This APEX provides native libs to other parts of the platform. It can only
3486   // be updated via staged install flow.
3487   if (new_manifest.providenativelibs_size() > 0) {
3488     return Error() << new_apex.GetPath() << " provides native libs";
3489   }
3490 
3491   // This APEX requires libs provided by dynamic common library APEX, hence it
3492   // can only be installed using staged install flow.
3493   if (new_manifest.requiresharedapexlibs_size() > 0) {
3494     return Error() << new_apex.GetPath() << " requires shared apex libs";
3495   }
3496 
3497   // We don't allow non-staged updates of APEXES that have java libs inside.
3498   if (new_manifest.jnilibs_size() > 0) {
3499     return Error() << new_apex.GetPath() << " requires JNI libs";
3500   }
3501 
3502   // For requireNativeLibs bit, we only allow updates that don't change list of
3503   // required libs.
3504 
3505   std::vector<std::string> cur_required_libs(
3506       cur_manifest.requirenativelibs().begin(),
3507       cur_manifest.requirenativelibs().end());
3508   sort(cur_required_libs.begin(), cur_required_libs.end());
3509 
3510   std::vector<std::string> new_required_libs(
3511       new_manifest.requirenativelibs().begin(),
3512       new_manifest.requirenativelibs().end());
3513   sort(new_required_libs.begin(), new_required_libs.end());
3514 
3515   if (cur_required_libs != new_required_libs) {
3516     return Error() << "Set of native libs required by " << new_apex.GetPath()
3517                    << " differs from the one required by the currently active "
3518                    << cur_apex.GetPath();
3519   }
3520 
3521   auto expected_public_key =
3522       ApexFileRepository::GetInstance().GetPublicKey(new_manifest.name());
3523   if (!expected_public_key.ok()) {
3524     return expected_public_key.error();
3525   }
3526   auto verity_data = new_apex.VerifyApexVerity(*expected_public_key);
3527   if (!verity_data.ok()) {
3528     return verity_data.error();
3529   }
3530   // Supporting non-staged install of APEXes without a hashtree is additional
3531   // hassle, it's easier not to support it.
3532   if (verity_data->desc->tree_size == 0) {
3533     return Error() << new_apex.GetPath()
3534                    << " does not have an embedded hash tree";
3535   }
3536   return {};
3537 }
3538 
ComputePackageIdMinor(const ApexFile & apex)3539 Result<size_t> ComputePackageIdMinor(const ApexFile& apex) {
3540   static constexpr size_t kMaxVerityDevicesPerApexName = 3u;
3541   DeviceMapper& dm = DeviceMapper::Instance();
3542   std::vector<DeviceMapper::DmBlockDevice> dm_devices;
3543   if (!dm.GetAvailableDevices(&dm_devices)) {
3544     return Error() << "Failed to list dm devices";
3545   }
3546   size_t devices = 0;
3547   size_t next_minor = 1;
3548   for (const auto& dm_device : dm_devices) {
3549     std::string_view dm_name(dm_device.name());
3550     // Format is <module_name>@<version_code>[_<minor>]
3551     if (!ConsumePrefix(&dm_name, apex.GetManifest().name())) {
3552       continue;
3553     }
3554     devices++;
3555     auto pos = dm_name.find_last_of('_');
3556     if (pos == std::string_view::npos) {
3557       continue;
3558     }
3559     size_t minor;
3560     if (!ParseUint(std::string(dm_name.substr(pos + 1)), &minor)) {
3561       return Error() << "Unexpected dm device name " << dm_device.name();
3562     }
3563     if (next_minor < minor + 1) {
3564       next_minor = minor + 1;
3565     }
3566   }
3567   if (devices > kMaxVerityDevicesPerApexName) {
3568     return Error() << "There are too many (" << devices
3569                    << ") dm block devices associated with package "
3570                    << apex.GetManifest().name();
3571   }
3572   while (true) {
3573     std::string target_file =
3574         StringPrintf("%s/%s_%zu.apex", gConfig->active_apex_data_dir,
3575                      GetPackageId(apex.GetManifest()).c_str(), next_minor);
3576     if (access(target_file.c_str(), F_OK) == 0) {
3577       next_minor++;
3578     } else {
3579       break;
3580     }
3581   }
3582 
3583   return next_minor;
3584 }
3585 
UpdateApexInfoList()3586 Result<void> UpdateApexInfoList() {
3587   std::vector<ApexFile> active(GetActivePackages());
3588   std::vector<ApexFile> inactive = CalculateInactivePackages(active);
3589 
3590   std::stringstream xml;
3591   CollectApexInfoList(xml, active, inactive);
3592 
3593   std::string name = StringPrintf("%s/.default-%s", kApexRoot, kApexInfoList);
3594   unique_fd fd(TEMP_FAILURE_RETRY(
3595       open(name.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, 0644)));
3596   if (fd.get() == -1) {
3597     return ErrnoError() << "Can't open " << name;
3598   }
3599   if (!WriteStringToFd(xml.str(), fd)) {
3600     return ErrnoError() << "Failed to write to " << name;
3601   }
3602 
3603   return {};
3604 }
3605 
InstallPackage(const std::string & package_path)3606 Result<ApexFile> InstallPackage(const std::string& package_path) {
3607   LOG(INFO) << "Installing " << package_path;
3608   auto temp_apex = ApexFile::Open(package_path);
3609   if (!temp_apex.ok()) {
3610     return temp_apex.error();
3611   }
3612 
3613   const std::string& module_name = temp_apex->GetManifest().name();
3614   // Don't allow non-staged update if there are no active versions of this APEX.
3615   auto cur_mounted_data = gMountedApexes.GetLatestMountedApex(module_name);
3616   if (!cur_mounted_data.has_value()) {
3617     return Error() << "No active version found for package " << module_name;
3618   }
3619 
3620   auto cur_apex = ApexFile::Open(cur_mounted_data->full_path);
3621   if (!cur_apex.ok()) {
3622     return cur_apex.error();
3623   }
3624 
3625   // Do a quick check if this APEX can be installed without a reboot.
3626   // Note that passing this check doesn't guarantee that APEX will be
3627   // successfully installed.
3628   if (auto r = CheckSupportsNonStagedInstall(*cur_apex, *temp_apex); !r.ok()) {
3629     return r.error();
3630   }
3631 
3632   // 1. Verify that APEX is correct. This is a heavy check that involves
3633   // mounting an APEX on a temporary mount point and reading the entire
3634   // dm-verity block device.
3635   if (auto verify = VerifyPackageNonStagedInstall(*temp_apex); !verify.ok()) {
3636     return verify.error();
3637   }
3638 
3639   // 2. Compute params for mounting new apex.
3640   auto new_id_minor = ComputePackageIdMinor(*temp_apex);
3641   if (!new_id_minor.ok()) {
3642     return new_id_minor.error();
3643   }
3644 
3645   std::string new_id = GetPackageId(temp_apex->GetManifest()) + "_" +
3646                        std::to_string(*new_id_minor);
3647 
3648   // 2. Unmount currently active APEX.
3649   if (auto res = UnmountPackage(*cur_apex, /* allow_latest= */ true,
3650                                 /* deferred= */ true);
3651       !res.ok()) {
3652     return res.error();
3653   }
3654 
3655   // 3. Hard link to final destination.
3656   std::string target_file =
3657       StringPrintf("%s/%s.apex", gConfig->active_apex_data_dir, new_id.c_str());
3658 
3659   auto guard = android::base::make_scope_guard([&]() {
3660     if (unlink(target_file.c_str()) != 0 && errno != ENOENT) {
3661       PLOG(ERROR) << "Failed to unlink " << target_file;
3662     }
3663     // We can't really rely on the fact that dm-verity device backing up
3664     // previously active APEX is still around. We need to create a new one.
3665     std::string old_new_id = GetPackageId(temp_apex->GetManifest()) + "_" +
3666                              std::to_string(*new_id_minor + 1);
3667     if (auto res = ActivatePackageImpl(*cur_apex, old_new_id); !res.ok()) {
3668       // At this point not much we can do... :(
3669       LOG(ERROR) << res.error();
3670     }
3671   });
3672 
3673   // At this point it should be safe to hard link |temp_apex| to
3674   // |params->target_file|. In case reboot happens during one of the stages
3675   // below, then on next boot apexd will pick up the new verified APEX.
3676   if (link(package_path.c_str(), target_file.c_str()) != 0) {
3677     return ErrnoError() << "Failed to link " << package_path << " to "
3678                         << target_file;
3679   }
3680 
3681   auto new_apex = ApexFile::Open(target_file);
3682   if (!new_apex.ok()) {
3683     return new_apex.error();
3684   }
3685 
3686   // 4. And activate new one.
3687   if (auto res = ActivatePackageImpl(*new_apex, new_id); !res.ok()) {
3688     return res.error();
3689   }
3690 
3691   // Accept the install.
3692   guard.Disable();
3693 
3694   // 4. Now we can unlink old APEX if it's not pre-installed.
3695   if (!ApexFileRepository::GetInstance().IsPreInstalledApex(*cur_apex)) {
3696     if (unlink(cur_mounted_data->full_path.c_str()) != 0) {
3697       PLOG(ERROR) << "Failed to unlink " << cur_mounted_data->full_path;
3698     }
3699   }
3700 
3701   if (auto res = UpdateApexInfoList(); !res.ok()) {
3702     LOG(ERROR) << res.error();
3703   }
3704 
3705   // Release compressed blocks in case target_file is on f2fs-compressed
3706   // filesystem.
3707   ReleaseF2fsCompressedBlocks(target_file);
3708 
3709   return new_apex;
3710 }
3711 
3712 }  // namespace apex
3713 }  // namespace android
3714