1 //
2 // Copyright (C) 2014 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 //
16
17 #include "update_engine/update_manager/chromeos_policy.h"
18
19 #include <algorithm>
20 #include <set>
21 #include <string>
22
23 #include <base/logging.h>
24 #include <base/strings/string_util.h>
25 #include <base/time/time.h>
26
27 #include "update_engine/common/error_code.h"
28 #include "update_engine/common/error_code_utils.h"
29 #include "update_engine/common/utils.h"
30 #include "update_engine/update_manager/device_policy_provider.h"
31 #include "update_engine/update_manager/policy_utils.h"
32 #include "update_engine/update_manager/shill_provider.h"
33
34 using base::Time;
35 using base::TimeDelta;
36 using chromeos_update_engine::ConnectionTethering;
37 using chromeos_update_engine::ConnectionType;
38 using chromeos_update_engine::ErrorCode;
39 using std::get;
40 using std::max;
41 using std::min;
42 using std::set;
43 using std::string;
44
45 namespace {
46
47 // Examines |err_code| and decides whether the URL index needs to be advanced,
48 // the error count for the URL incremented, or none of the above. In the first
49 // case, returns true; in the second case, increments |*url_num_error_p| and
50 // returns false; otherwise just returns false.
51 //
52 // TODO(garnold) Adapted from PayloadState::UpdateFailed() (to be retired).
HandleErrorCode(ErrorCode err_code,int * url_num_error_p)53 bool HandleErrorCode(ErrorCode err_code, int* url_num_error_p) {
54 err_code = chromeos_update_engine::utils::GetBaseErrorCode(err_code);
55 switch (err_code) {
56 // Errors which are good indicators of a problem with a particular URL or
57 // the protocol used in the URL or entities in the communication channel
58 // (e.g. proxies). We should try the next available URL in the next update
59 // check to quickly recover from these errors.
60 case ErrorCode::kPayloadHashMismatchError:
61 case ErrorCode::kPayloadSizeMismatchError:
62 case ErrorCode::kDownloadPayloadVerificationError:
63 case ErrorCode::kDownloadPayloadPubKeyVerificationError:
64 case ErrorCode::kSignedDeltaPayloadExpectedError:
65 case ErrorCode::kDownloadInvalidMetadataMagicString:
66 case ErrorCode::kDownloadSignatureMissingInManifest:
67 case ErrorCode::kDownloadManifestParseError:
68 case ErrorCode::kDownloadMetadataSignatureError:
69 case ErrorCode::kDownloadMetadataSignatureVerificationError:
70 case ErrorCode::kDownloadMetadataSignatureMismatch:
71 case ErrorCode::kDownloadOperationHashVerificationError:
72 case ErrorCode::kDownloadOperationExecutionError:
73 case ErrorCode::kDownloadOperationHashMismatch:
74 case ErrorCode::kDownloadInvalidMetadataSize:
75 case ErrorCode::kDownloadInvalidMetadataSignature:
76 case ErrorCode::kDownloadOperationHashMissingError:
77 case ErrorCode::kDownloadMetadataSignatureMissingError:
78 case ErrorCode::kPayloadMismatchedType:
79 case ErrorCode::kUnsupportedMajorPayloadVersion:
80 case ErrorCode::kUnsupportedMinorPayloadVersion:
81 LOG(INFO) << "Advancing download URL due to error "
82 << chromeos_update_engine::utils::ErrorCodeToString(err_code)
83 << " (" << static_cast<int>(err_code) << ")";
84 return true;
85
86 // Errors which seem to be just transient network/communication related
87 // failures and do not indicate any inherent problem with the URL itself.
88 // So, we should keep the current URL but just increment the
89 // failure count to give it more chances. This way, while we maximize our
90 // chances of downloading from the URLs that appear earlier in the response
91 // (because download from a local server URL that appears earlier in a
92 // response is preferable than downloading from the next URL which could be
93 // an Internet URL and thus could be more expensive).
94 case ErrorCode::kError:
95 case ErrorCode::kDownloadTransferError:
96 case ErrorCode::kDownloadWriteError:
97 case ErrorCode::kDownloadStateInitializationError:
98 case ErrorCode::kOmahaErrorInHTTPResponse: // Aggregate for HTTP errors.
99 LOG(INFO) << "Incrementing URL failure count due to error "
100 << chromeos_update_engine::utils::ErrorCodeToString(err_code)
101 << " (" << static_cast<int>(err_code) << ")";
102 *url_num_error_p += 1;
103 return false;
104
105 // Errors which are not specific to a URL and hence shouldn't result in
106 // the URL being penalized. This can happen in two cases:
107 // 1. We haven't started downloading anything: These errors don't cost us
108 // anything in terms of actual payload bytes, so we should just do the
109 // regular retries at the next update check.
110 // 2. We have successfully downloaded the payload: In this case, the
111 // payload attempt number would have been incremented and would take care
112 // of the back-off at the next update check.
113 // In either case, there's no need to update URL index or failure count.
114 case ErrorCode::kOmahaRequestError:
115 case ErrorCode::kOmahaResponseHandlerError:
116 case ErrorCode::kPostinstallRunnerError:
117 case ErrorCode::kFilesystemCopierError:
118 case ErrorCode::kInstallDeviceOpenError:
119 case ErrorCode::kKernelDeviceOpenError:
120 case ErrorCode::kDownloadNewPartitionInfoError:
121 case ErrorCode::kNewRootfsVerificationError:
122 case ErrorCode::kNewKernelVerificationError:
123 case ErrorCode::kPostinstallBootedFromFirmwareB:
124 case ErrorCode::kPostinstallFirmwareRONotUpdatable:
125 case ErrorCode::kOmahaRequestEmptyResponseError:
126 case ErrorCode::kOmahaRequestXMLParseError:
127 case ErrorCode::kOmahaResponseInvalid:
128 case ErrorCode::kOmahaUpdateIgnoredPerPolicy:
129 case ErrorCode::kOmahaUpdateDeferredPerPolicy:
130 case ErrorCode::kNonCriticalUpdateInOOBE:
131 case ErrorCode::kOmahaUpdateDeferredForBackoff:
132 case ErrorCode::kPostinstallPowerwashError:
133 case ErrorCode::kUpdateCanceledByChannelChange:
134 case ErrorCode::kOmahaRequestXMLHasEntityDecl:
135 case ErrorCode::kFilesystemVerifierError:
136 case ErrorCode::kUserCanceled:
137 LOG(INFO) << "Not changing URL index or failure count due to error "
138 << chromeos_update_engine::utils::ErrorCodeToString(err_code)
139 << " (" << static_cast<int>(err_code) << ")";
140 return false;
141
142 case ErrorCode::kSuccess: // success code
143 case ErrorCode::kUmaReportedMax: // not an error code
144 case ErrorCode::kOmahaRequestHTTPResponseBase: // aggregated already
145 case ErrorCode::kDevModeFlag: // not an error code
146 case ErrorCode::kResumedFlag: // not an error code
147 case ErrorCode::kTestImageFlag: // not an error code
148 case ErrorCode::kTestOmahaUrlFlag: // not an error code
149 case ErrorCode::kSpecialFlags: // not an error code
150 // These shouldn't happen. Enumerating these explicitly here so that we
151 // can let the compiler warn about new error codes that are added to
152 // action_processor.h but not added here.
153 LOG(WARNING) << "Unexpected error "
154 << chromeos_update_engine::utils::ErrorCodeToString(err_code)
155 << " (" << static_cast<int>(err_code) << ")";
156 // Note: Not adding a default here so as to let the compiler warn us of
157 // any new enums that were added in the .h but not listed in this switch.
158 }
159 return false;
160 }
161
162 // Checks whether |url| can be used under given download restrictions.
IsUrlUsable(const string & url,bool http_allowed)163 bool IsUrlUsable(const string& url, bool http_allowed) {
164 return http_allowed ||
165 !base::StartsWith(url, "http://",
166 base::CompareCase::INSENSITIVE_ASCII);
167 }
168
169 } // namespace
170
171 namespace chromeos_update_manager {
172
173 const int ChromeOSPolicy::kTimeoutInitialInterval = 7 * 60;
174
175 // TODO(deymo): Split the update_manager policies for Brillo and ChromeOS and
176 // make the update check periodic interval configurable.
177 #ifdef __ANDROID__
178 const int ChromeOSPolicy::kTimeoutPeriodicInterval = 5 * 60 * 60;
179 const int ChromeOSPolicy::kTimeoutMaxBackoffInterval = 26 * 60 * 60;
180 #else
181 const int ChromeOSPolicy::kTimeoutPeriodicInterval = 45 * 60;
182 const int ChromeOSPolicy::kTimeoutMaxBackoffInterval = 4 * 60 * 60;
183 #endif // __ANDROID__
184
185 const int ChromeOSPolicy::kTimeoutRegularFuzz = 10 * 60;
186 const int ChromeOSPolicy::kAttemptBackoffMaxIntervalInDays = 16;
187 const int ChromeOSPolicy::kAttemptBackoffFuzzInHours = 12;
188 const int ChromeOSPolicy::kMaxP2PAttempts = 10;
189 const int ChromeOSPolicy::kMaxP2PAttemptsPeriodInSeconds = 5 * 24 * 60 * 60;
190
UpdateCheckAllowed(EvaluationContext * ec,State * state,string * error,UpdateCheckParams * result) const191 EvalStatus ChromeOSPolicy::UpdateCheckAllowed(
192 EvaluationContext* ec, State* state, string* error,
193 UpdateCheckParams* result) const {
194 // Set the default return values.
195 result->updates_enabled = true;
196 result->target_channel.clear();
197 result->target_version_prefix.clear();
198 result->is_interactive = false;
199
200 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
201 UpdaterProvider* const updater_provider = state->updater_provider();
202 SystemProvider* const system_provider = state->system_provider();
203
204 // Do not perform any updates if booted from removable device. This decision
205 // is final.
206 const unsigned int* num_slots_p = ec->GetValue(
207 system_provider->var_num_slots());
208 if (!num_slots_p || *num_slots_p < 2) {
209 LOG(INFO) << "Not enough slots for A/B updates, disabling update checks.";
210 result->updates_enabled = false;
211 return EvalStatus::kSucceeded;
212 }
213
214 const bool* device_policy_is_loaded_p = ec->GetValue(
215 dp_provider->var_device_policy_is_loaded());
216 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
217 bool kiosk_app_control_chrome_version = false;
218
219 // Check whether updates are disabled by policy.
220 const bool* update_disabled_p = ec->GetValue(
221 dp_provider->var_update_disabled());
222 if (update_disabled_p && *update_disabled_p) {
223 // Check whether allow kiosk app to control chrome version policy. This
224 // policy is only effective when AU is disabled by admin.
225 const bool* allow_kiosk_app_control_chrome_version_p = ec->GetValue(
226 dp_provider->var_allow_kiosk_app_control_chrome_version());
227 kiosk_app_control_chrome_version =
228 allow_kiosk_app_control_chrome_version_p &&
229 *allow_kiosk_app_control_chrome_version_p;
230 if (!kiosk_app_control_chrome_version) {
231 // No kiosk pin chrome version policy. AU is really disabled.
232 LOG(INFO) << "Updates disabled by policy, blocking update checks.";
233 return EvalStatus::kAskMeAgainLater;
234 }
235 }
236
237 if (kiosk_app_control_chrome_version) {
238 // Get the required platform version from Chrome.
239 const string* kiosk_required_platform_version_p =
240 ec->GetValue(system_provider->var_kiosk_required_platform_version());
241 if (!kiosk_required_platform_version_p) {
242 LOG(INFO) << "Kiosk app required platform version is not fetched, "
243 "blocking update checks";
244 return EvalStatus::kAskMeAgainLater;
245 }
246
247 result->target_version_prefix = *kiosk_required_platform_version_p;
248 LOG(INFO) << "Allow kiosk app to control Chrome version policy is set,"
249 << ", target version is "
250 << (kiosk_required_platform_version_p
251 ? *kiosk_required_platform_version_p
252 : std::string("latest"));
253 } else {
254 // Determine whether a target version prefix is dictated by policy.
255 const string* target_version_prefix_p = ec->GetValue(
256 dp_provider->var_target_version_prefix());
257 if (target_version_prefix_p)
258 result->target_version_prefix = *target_version_prefix_p;
259 }
260
261 // Determine whether a target channel is dictated by policy.
262 const bool* release_channel_delegated_p = ec->GetValue(
263 dp_provider->var_release_channel_delegated());
264 if (release_channel_delegated_p && !(*release_channel_delegated_p)) {
265 const string* release_channel_p = ec->GetValue(
266 dp_provider->var_release_channel());
267 if (release_channel_p)
268 result->target_channel = *release_channel_p;
269 }
270 }
271
272 // First, check to see if an interactive update was requested.
273 const UpdateRequestStatus* forced_update_requested_p = ec->GetValue(
274 updater_provider->var_forced_update_requested());
275 if (forced_update_requested_p &&
276 *forced_update_requested_p != UpdateRequestStatus::kNone) {
277 result->is_interactive =
278 (*forced_update_requested_p == UpdateRequestStatus::kInteractive);
279 LOG(INFO) << "Forced update signaled ("
280 << (result->is_interactive ? "interactive" : "periodic")
281 << "), allowing update check.";
282 return EvalStatus::kSucceeded;
283 }
284
285 // The logic thereafter applies to periodic updates. Bear in mind that we
286 // should not return a final "no" if any of these criteria are not satisfied,
287 // because the system may still update due to an interactive update request.
288
289 // Unofficial builds should not perform periodic update checks.
290 const bool* is_official_build_p = ec->GetValue(
291 system_provider->var_is_official_build());
292 if (is_official_build_p && !(*is_official_build_p)) {
293 LOG(INFO) << "Unofficial build, blocking periodic update checks.";
294 return EvalStatus::kAskMeAgainLater;
295 }
296
297 // If OOBE is enabled, wait until it is completed.
298 const bool* is_oobe_enabled_p = ec->GetValue(
299 state->config_provider()->var_is_oobe_enabled());
300 if (is_oobe_enabled_p && *is_oobe_enabled_p) {
301 const bool* is_oobe_complete_p = ec->GetValue(
302 system_provider->var_is_oobe_complete());
303 if (is_oobe_complete_p && !(*is_oobe_complete_p)) {
304 LOG(INFO) << "OOBE not completed, blocking update checks.";
305 return EvalStatus::kAskMeAgainLater;
306 }
307 }
308
309 // Ensure that periodic update checks are timed properly.
310 Time next_update_check;
311 if (NextUpdateCheckTime(ec, state, error, &next_update_check) !=
312 EvalStatus::kSucceeded) {
313 return EvalStatus::kFailed;
314 }
315 if (!ec->IsWallclockTimeGreaterThan(next_update_check)) {
316 LOG(INFO) << "Periodic check interval not satisfied, blocking until "
317 << chromeos_update_engine::utils::ToString(next_update_check);
318 return EvalStatus::kAskMeAgainLater;
319 }
320
321 // It is time to check for an update.
322 LOG(INFO) << "Allowing update check.";
323 return EvalStatus::kSucceeded;
324 }
325
UpdateCanStart(EvaluationContext * ec,State * state,string * error,UpdateDownloadParams * result,const UpdateState update_state) const326 EvalStatus ChromeOSPolicy::UpdateCanStart(
327 EvaluationContext* ec,
328 State* state,
329 string* error,
330 UpdateDownloadParams* result,
331 const UpdateState update_state) const {
332 // Set the default return values. Note that we set persisted values (backoff,
333 // scattering) to the same values presented in the update state. The reason is
334 // that preemptive returns, such as the case where an update check is due,
335 // should not clear off the said values; rather, it is the deliberate
336 // inference of new values that should cause them to be reset.
337 result->update_can_start = false;
338 result->cannot_start_reason = UpdateCannotStartReason::kUndefined;
339 result->download_url_idx = -1;
340 result->download_url_allowed = true;
341 result->download_url_num_errors = 0;
342 result->p2p_downloading_allowed = false;
343 result->p2p_sharing_allowed = false;
344 result->do_increment_failures = false;
345 result->backoff_expiry = update_state.backoff_expiry;
346 result->scatter_wait_period = update_state.scatter_wait_period;
347 result->scatter_check_threshold = update_state.scatter_check_threshold;
348
349 // Make sure that we're not due for an update check.
350 UpdateCheckParams check_result;
351 EvalStatus check_status = UpdateCheckAllowed(ec, state, error, &check_result);
352 if (check_status == EvalStatus::kFailed)
353 return EvalStatus::kFailed;
354 bool is_check_due = (check_status == EvalStatus::kSucceeded &&
355 check_result.updates_enabled == true);
356
357 // Check whether backoff applies, and if not then which URL can be used for
358 // downloading. These require scanning the download error log, and so they are
359 // done together.
360 UpdateBackoffAndDownloadUrlResult backoff_url_result;
361 EvalStatus backoff_url_status = UpdateBackoffAndDownloadUrl(
362 ec, state, error, &backoff_url_result, update_state);
363 if (backoff_url_status == EvalStatus::kFailed)
364 return EvalStatus::kFailed;
365 result->download_url_idx = backoff_url_result.url_idx;
366 result->download_url_num_errors = backoff_url_result.url_num_errors;
367 result->do_increment_failures = backoff_url_result.do_increment_failures;
368 result->backoff_expiry = backoff_url_result.backoff_expiry;
369 bool is_backoff_active =
370 (backoff_url_status == EvalStatus::kAskMeAgainLater) ||
371 !backoff_url_result.backoff_expiry.is_null();
372
373 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
374 bool is_scattering_active = false;
375 EvalStatus scattering_status = EvalStatus::kSucceeded;
376
377 const bool* device_policy_is_loaded_p = ec->GetValue(
378 dp_provider->var_device_policy_is_loaded());
379 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
380 // Check whether scattering applies to this update attempt. We should not be
381 // scattering if this is an interactive update check, or if OOBE is enabled
382 // but not completed.
383 //
384 // Note: current code further suppresses scattering if a "deadline"
385 // attribute is found in the Omaha response. However, it appears that the
386 // presence of this attribute is merely indicative of an OOBE update, during
387 // which we suppress scattering anyway.
388 bool is_scattering_applicable = false;
389 result->scatter_wait_period = kZeroInterval;
390 result->scatter_check_threshold = 0;
391 if (!update_state.is_interactive) {
392 const bool* is_oobe_enabled_p = ec->GetValue(
393 state->config_provider()->var_is_oobe_enabled());
394 if (is_oobe_enabled_p && !(*is_oobe_enabled_p)) {
395 is_scattering_applicable = true;
396 } else {
397 const bool* is_oobe_complete_p = ec->GetValue(
398 state->system_provider()->var_is_oobe_complete());
399 is_scattering_applicable = (is_oobe_complete_p && *is_oobe_complete_p);
400 }
401 }
402
403 // Compute scattering values.
404 if (is_scattering_applicable) {
405 UpdateScatteringResult scatter_result;
406 scattering_status = UpdateScattering(ec, state, error, &scatter_result,
407 update_state);
408 if (scattering_status == EvalStatus::kFailed) {
409 return EvalStatus::kFailed;
410 } else {
411 result->scatter_wait_period = scatter_result.wait_period;
412 result->scatter_check_threshold = scatter_result.check_threshold;
413 if (scattering_status == EvalStatus::kAskMeAgainLater ||
414 scatter_result.is_scattering)
415 is_scattering_active = true;
416 }
417 }
418 }
419
420 // Find out whether P2P is globally enabled.
421 bool p2p_enabled;
422 EvalStatus p2p_enabled_status = P2PEnabled(ec, state, error, &p2p_enabled);
423 if (p2p_enabled_status != EvalStatus::kSucceeded)
424 return EvalStatus::kFailed;
425
426 // Is P2P is enabled, consider allowing it for downloading and/or sharing.
427 if (p2p_enabled) {
428 // Sharing via P2P is allowed if not disabled by Omaha.
429 if (update_state.p2p_sharing_disabled) {
430 LOG(INFO) << "Blocked P2P sharing because it is disabled by Omaha.";
431 } else {
432 result->p2p_sharing_allowed = true;
433 }
434
435 // Downloading via P2P is allowed if not disabled by Omaha, an update is not
436 // interactive, and other limits haven't been reached.
437 if (update_state.p2p_downloading_disabled) {
438 LOG(INFO) << "Blocked P2P downloading because it is disabled by Omaha.";
439 } else if (update_state.is_interactive) {
440 LOG(INFO) << "Blocked P2P downloading because update is interactive.";
441 } else if (update_state.p2p_num_attempts >= kMaxP2PAttempts) {
442 LOG(INFO) << "Blocked P2P downloading as it was attempted too many "
443 "times.";
444 } else if (!update_state.p2p_first_attempted.is_null() &&
445 ec->IsWallclockTimeGreaterThan(
446 update_state.p2p_first_attempted +
447 TimeDelta::FromSeconds(kMaxP2PAttemptsPeriodInSeconds))) {
448 LOG(INFO) << "Blocked P2P downloading as its usage timespan exceeds "
449 "limit.";
450 } else {
451 // P2P download is allowed; if backoff or scattering are active, be sure
452 // to suppress them, yet prevent any download URL from being used.
453 result->p2p_downloading_allowed = true;
454 if (is_backoff_active || is_scattering_active) {
455 is_backoff_active = is_scattering_active = false;
456 result->download_url_allowed = false;
457 }
458 }
459 }
460
461 // Check for various deterrents.
462 if (is_check_due) {
463 result->cannot_start_reason = UpdateCannotStartReason::kCheckDue;
464 return EvalStatus::kSucceeded;
465 }
466 if (is_backoff_active) {
467 result->cannot_start_reason = UpdateCannotStartReason::kBackoff;
468 return backoff_url_status;
469 }
470 if (is_scattering_active) {
471 result->cannot_start_reason = UpdateCannotStartReason::kScattering;
472 return scattering_status;
473 }
474 if (result->download_url_idx < 0 && !result->p2p_downloading_allowed) {
475 result->cannot_start_reason = UpdateCannotStartReason::kCannotDownload;
476 return EvalStatus::kSucceeded;
477 }
478
479 // Update is good to go.
480 result->update_can_start = true;
481 return EvalStatus::kSucceeded;
482 }
483
484 // TODO(garnold) Logic in this method is based on
485 // ConnectionManager::IsUpdateAllowedOver(); be sure to deprecate the latter.
486 //
487 // TODO(garnold) The current logic generally treats the list of allowed
488 // connections coming from the device policy as a whitelist, meaning that it
489 // can only be used for enabling connections, but not disable them. Further,
490 // certain connection types (like Bluetooth) cannot be enabled even by policy.
491 // In effect, the only thing that device policy can change is to enable
492 // updates over a cellular network (disabled by default). We may want to
493 // revisit this semantics, allowing greater flexibility in defining specific
494 // permissions over all types of networks.
UpdateDownloadAllowed(EvaluationContext * ec,State * state,string * error,bool * result) const495 EvalStatus ChromeOSPolicy::UpdateDownloadAllowed(
496 EvaluationContext* ec,
497 State* state,
498 string* error,
499 bool* result) const {
500 // Get the current connection type.
501 ShillProvider* const shill_provider = state->shill_provider();
502 const ConnectionType* conn_type_p = ec->GetValue(
503 shill_provider->var_conn_type());
504 POLICY_CHECK_VALUE_AND_FAIL(conn_type_p, error);
505 ConnectionType conn_type = *conn_type_p;
506
507 // If we're tethering, treat it as a cellular connection.
508 if (conn_type != ConnectionType::kCellular) {
509 const ConnectionTethering* conn_tethering_p = ec->GetValue(
510 shill_provider->var_conn_tethering());
511 POLICY_CHECK_VALUE_AND_FAIL(conn_tethering_p, error);
512 if (*conn_tethering_p == ConnectionTethering::kConfirmed)
513 conn_type = ConnectionType::kCellular;
514 }
515
516 // By default, we allow updates for all connection types, with exceptions as
517 // noted below. This also determines whether a device policy can override the
518 // default.
519 *result = true;
520 bool device_policy_can_override = false;
521 switch (conn_type) {
522 case ConnectionType::kBluetooth:
523 *result = false;
524 break;
525
526 case ConnectionType::kCellular:
527 *result = false;
528 device_policy_can_override = true;
529 break;
530
531 case ConnectionType::kUnknown:
532 if (error)
533 *error = "Unknown connection type";
534 return EvalStatus::kFailed;
535
536 default:
537 break; // Nothing to do.
538 }
539
540 // If update is allowed, we're done.
541 if (*result)
542 return EvalStatus::kSucceeded;
543
544 // Check whether the device policy specifically allows this connection.
545 if (device_policy_can_override) {
546 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
547 const bool* device_policy_is_loaded_p = ec->GetValue(
548 dp_provider->var_device_policy_is_loaded());
549 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
550 const set<ConnectionType>* allowed_conn_types_p = ec->GetValue(
551 dp_provider->var_allowed_connection_types_for_update());
552 if (allowed_conn_types_p) {
553 if (allowed_conn_types_p->count(conn_type)) {
554 *result = true;
555 return EvalStatus::kSucceeded;
556 }
557 } else if (conn_type == ConnectionType::kCellular) {
558 // Local user settings can allow updates over cellular iff a policy was
559 // loaded but no allowed connections were specified in it.
560 const bool* update_over_cellular_allowed_p = ec->GetValue(
561 state->updater_provider()->var_cellular_enabled());
562 if (update_over_cellular_allowed_p && *update_over_cellular_allowed_p)
563 *result = true;
564 }
565 }
566 }
567
568 return (*result ? EvalStatus::kSucceeded : EvalStatus::kAskMeAgainLater);
569 }
570
P2PEnabled(EvaluationContext * ec,State * state,string * error,bool * result) const571 EvalStatus ChromeOSPolicy::P2PEnabled(EvaluationContext* ec,
572 State* state,
573 string* error,
574 bool* result) const {
575 bool enabled = false;
576
577 // Determine whether use of P2P is allowed by policy. Even if P2P is not
578 // explicitly allowed, we allow it if the device is enterprise enrolled (that
579 // is, missing or empty owner string).
580 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
581 const bool* device_policy_is_loaded_p = ec->GetValue(
582 dp_provider->var_device_policy_is_loaded());
583 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
584 const bool* policy_au_p2p_enabled_p = ec->GetValue(
585 dp_provider->var_au_p2p_enabled());
586 if (policy_au_p2p_enabled_p) {
587 enabled = *policy_au_p2p_enabled_p;
588 } else {
589 const string* policy_owner_p = ec->GetValue(dp_provider->var_owner());
590 if (!policy_owner_p || policy_owner_p->empty())
591 enabled = true;
592 }
593 }
594
595 // Enable P2P, if so mandated by the updater configuration. This is additive
596 // to whether or not P2P is enabled by device policy.
597 if (!enabled) {
598 const bool* updater_p2p_enabled_p = ec->GetValue(
599 state->updater_provider()->var_p2p_enabled());
600 enabled = updater_p2p_enabled_p && *updater_p2p_enabled_p;
601 }
602
603 *result = enabled;
604 return EvalStatus::kSucceeded;
605 }
606
P2PEnabledChanged(EvaluationContext * ec,State * state,string * error,bool * result,bool prev_result) const607 EvalStatus ChromeOSPolicy::P2PEnabledChanged(EvaluationContext* ec,
608 State* state,
609 string* error,
610 bool* result,
611 bool prev_result) const {
612 EvalStatus status = P2PEnabled(ec, state, error, result);
613 if (status == EvalStatus::kSucceeded && *result == prev_result)
614 return EvalStatus::kAskMeAgainLater;
615 return status;
616 }
617
NextUpdateCheckTime(EvaluationContext * ec,State * state,string * error,Time * next_update_check) const618 EvalStatus ChromeOSPolicy::NextUpdateCheckTime(EvaluationContext* ec,
619 State* state, string* error,
620 Time* next_update_check) const {
621 UpdaterProvider* const updater_provider = state->updater_provider();
622
623 // Don't check for updates too often. We limit the update checks to once every
624 // some interval. The interval is kTimeoutInitialInterval the first time and
625 // kTimeoutPeriodicInterval for the subsequent update checks. If the update
626 // check fails, we increase the interval between the update checks
627 // exponentially until kTimeoutMaxBackoffInterval. Finally, to avoid having
628 // many chromebooks running update checks at the exact same time, we add some
629 // fuzz to the interval.
630 const Time* updater_started_time =
631 ec->GetValue(updater_provider->var_updater_started_time());
632 POLICY_CHECK_VALUE_AND_FAIL(updater_started_time, error);
633
634 const Time* last_checked_time =
635 ec->GetValue(updater_provider->var_last_checked_time());
636
637 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
638 POLICY_CHECK_VALUE_AND_FAIL(seed, error);
639
640 PRNG prng(*seed);
641
642 // If this is the first attempt, compute and return an initial value.
643 if (!last_checked_time || *last_checked_time < *updater_started_time) {
644 *next_update_check = *updater_started_time + FuzzedInterval(
645 &prng, kTimeoutInitialInterval, kTimeoutRegularFuzz);
646 return EvalStatus::kSucceeded;
647 }
648
649 // Check whether the server is enforcing a poll interval; if not, this value
650 // will be zero.
651 const unsigned int* server_dictated_poll_interval = ec->GetValue(
652 updater_provider->var_server_dictated_poll_interval());
653 POLICY_CHECK_VALUE_AND_FAIL(server_dictated_poll_interval, error);
654
655 int interval = *server_dictated_poll_interval;
656 int fuzz = 0;
657
658 // If no poll interval was dictated by server compute a back-off period,
659 // starting from a predetermined base periodic interval and increasing
660 // exponentially by the number of consecutive failed attempts.
661 if (interval == 0) {
662 const unsigned int* consecutive_failed_update_checks = ec->GetValue(
663 updater_provider->var_consecutive_failed_update_checks());
664 POLICY_CHECK_VALUE_AND_FAIL(consecutive_failed_update_checks, error);
665
666 interval = kTimeoutPeriodicInterval;
667 unsigned int num_failures = *consecutive_failed_update_checks;
668 while (interval < kTimeoutMaxBackoffInterval && num_failures) {
669 interval *= 2;
670 num_failures--;
671 }
672 }
673
674 // We cannot back off longer than the predetermined maximum interval.
675 if (interval > kTimeoutMaxBackoffInterval)
676 interval = kTimeoutMaxBackoffInterval;
677
678 // We cannot back off shorter than the predetermined periodic interval. Also,
679 // in this case set the fuzz to a predetermined regular value.
680 if (interval <= kTimeoutPeriodicInterval) {
681 interval = kTimeoutPeriodicInterval;
682 fuzz = kTimeoutRegularFuzz;
683 }
684
685 // If not otherwise determined, defer to a fuzz of +/-(interval / 2).
686 if (fuzz == 0)
687 fuzz = interval;
688
689 *next_update_check = *last_checked_time + FuzzedInterval(
690 &prng, interval, fuzz);
691 return EvalStatus::kSucceeded;
692 }
693
FuzzedInterval(PRNG * prng,int interval,int fuzz)694 TimeDelta ChromeOSPolicy::FuzzedInterval(PRNG* prng, int interval, int fuzz) {
695 DCHECK_GE(interval, 0);
696 DCHECK_GE(fuzz, 0);
697 int half_fuzz = fuzz / 2;
698 // This guarantees the output interval is non negative.
699 int interval_min = max(interval - half_fuzz, 0);
700 int interval_max = interval + half_fuzz;
701 return TimeDelta::FromSeconds(prng->RandMinMax(interval_min, interval_max));
702 }
703
UpdateBackoffAndDownloadUrl(EvaluationContext * ec,State * state,string * error,UpdateBackoffAndDownloadUrlResult * result,const UpdateState & update_state) const704 EvalStatus ChromeOSPolicy::UpdateBackoffAndDownloadUrl(
705 EvaluationContext* ec, State* state, string* error,
706 UpdateBackoffAndDownloadUrlResult* result,
707 const UpdateState& update_state) const {
708 // Sanity checks.
709 DCHECK_GE(update_state.download_errors_max, 0);
710
711 // Set default result values.
712 result->do_increment_failures = false;
713 result->backoff_expiry = update_state.backoff_expiry;
714 result->url_idx = -1;
715 result->url_num_errors = 0;
716
717 const bool* is_official_build_p = ec->GetValue(
718 state->system_provider()->var_is_official_build());
719 bool is_official_build = (is_official_build_p ? *is_official_build_p : true);
720
721 // Check whether backoff is enabled.
722 bool may_backoff = false;
723 if (update_state.is_backoff_disabled) {
724 LOG(INFO) << "Backoff disabled by Omaha.";
725 } else if (update_state.is_interactive) {
726 LOG(INFO) << "No backoff for interactive updates.";
727 } else if (update_state.is_delta_payload) {
728 LOG(INFO) << "No backoff for delta payloads.";
729 } else if (!is_official_build) {
730 LOG(INFO) << "No backoff for unofficial builds.";
731 } else {
732 may_backoff = true;
733 }
734
735 // If previous backoff still in effect, block.
736 if (may_backoff && !update_state.backoff_expiry.is_null() &&
737 !ec->IsWallclockTimeGreaterThan(update_state.backoff_expiry)) {
738 LOG(INFO) << "Previous backoff has not expired, waiting.";
739 return EvalStatus::kAskMeAgainLater;
740 }
741
742 // Determine whether HTTP downloads are forbidden by policy. This only
743 // applies to official system builds; otherwise, HTTP is always enabled.
744 bool http_allowed = true;
745 if (is_official_build) {
746 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
747 const bool* device_policy_is_loaded_p = ec->GetValue(
748 dp_provider->var_device_policy_is_loaded());
749 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
750 const bool* policy_http_downloads_enabled_p = ec->GetValue(
751 dp_provider->var_http_downloads_enabled());
752 http_allowed = (!policy_http_downloads_enabled_p ||
753 *policy_http_downloads_enabled_p);
754 }
755 }
756
757 int url_idx = update_state.last_download_url_idx;
758 if (url_idx < 0)
759 url_idx = -1;
760 bool do_advance_url = false;
761 bool is_failure_occurred = false;
762 Time err_time;
763
764 // Scan the relevant part of the download error log, tracking which URLs are
765 // being used, and accounting the number of errors for each URL. Note that
766 // this process may not traverse all errors provided, as it may decide to bail
767 // out midway depending on the particular errors exhibited, the number of
768 // failures allowed, etc. When this ends, |url_idx| will point to the last URL
769 // used (-1 if starting fresh), |do_advance_url| will determine whether the
770 // URL needs to be advanced, and |err_time| the point in time when the last
771 // reported error occurred. Additionally, if the error log indicates that an
772 // update attempt has failed (abnormal), then |is_failure_occurred| will be
773 // set to true.
774 const int num_urls = update_state.download_urls.size();
775 int prev_url_idx = -1;
776 int url_num_errors = update_state.last_download_url_num_errors;
777 Time prev_err_time;
778 bool is_first = true;
779 for (const auto& err_tuple : update_state.download_errors) {
780 // Do some sanity checks.
781 int used_url_idx = get<0>(err_tuple);
782 if (is_first && url_idx >= 0 && used_url_idx != url_idx) {
783 LOG(WARNING) << "First URL in error log (" << used_url_idx
784 << ") not as expected (" << url_idx << ")";
785 }
786 is_first = false;
787 url_idx = used_url_idx;
788 if (url_idx < 0 || url_idx >= num_urls) {
789 LOG(ERROR) << "Download error log contains an invalid URL index ("
790 << url_idx << ")";
791 return EvalStatus::kFailed;
792 }
793 err_time = get<2>(err_tuple);
794 if (!(prev_err_time.is_null() || err_time >= prev_err_time)) {
795 // TODO(garnold) Monotonicity cannot really be assumed when dealing with
796 // wallclock-based timestamps. However, we're making a simplifying
797 // assumption so as to keep the policy implementation straightforward, for
798 // now. In general, we should convert all timestamp handling in the
799 // UpdateManager to use monotonic time (instead of wallclock), including
800 // the computation of various expiration times (backoff, scattering, etc).
801 // The client will do whatever conversions necessary when
802 // persisting/retrieving these values across reboots. See chromium:408794.
803 LOG(ERROR) << "Download error timestamps not monotonically increasing.";
804 return EvalStatus::kFailed;
805 }
806 prev_err_time = err_time;
807
808 // Ignore errors that happened before the last known failed attempt.
809 if (!update_state.failures_last_updated.is_null() &&
810 err_time <= update_state.failures_last_updated)
811 continue;
812
813 if (prev_url_idx >= 0) {
814 if (url_idx < prev_url_idx) {
815 LOG(ERROR) << "The URLs in the download error log have wrapped around ("
816 << prev_url_idx << "->" << url_idx
817 << "). This should not have happened and means that there's "
818 "a bug. To be conservative, we record a failed attempt "
819 "(invalidating the rest of the error log) and resume "
820 "download from the first usable URL.";
821 url_idx = -1;
822 is_failure_occurred = true;
823 break;
824 }
825
826 if (url_idx > prev_url_idx) {
827 url_num_errors = 0;
828 do_advance_url = false;
829 }
830 }
831
832 if (HandleErrorCode(get<1>(err_tuple), &url_num_errors) ||
833 url_num_errors > update_state.download_errors_max)
834 do_advance_url = true;
835
836 prev_url_idx = url_idx;
837 }
838
839 // If required, advance to the next usable URL. If the URLs wraparound, we
840 // mark an update attempt failure. Also be sure to set the download error
841 // count to zero.
842 if (url_idx < 0 || do_advance_url) {
843 url_num_errors = 0;
844 int start_url_idx = -1;
845 do {
846 if (++url_idx == num_urls) {
847 url_idx = 0;
848 // We only mark failure if an actual advancing of a URL was required.
849 if (do_advance_url)
850 is_failure_occurred = true;
851 }
852
853 if (start_url_idx < 0)
854 start_url_idx = url_idx;
855 else if (url_idx == start_url_idx)
856 url_idx = -1; // No usable URL.
857 } while (url_idx >= 0 &&
858 !IsUrlUsable(update_state.download_urls[url_idx], http_allowed));
859 }
860
861 // If we have a download URL but a failure was observed, compute a new backoff
862 // expiry (if allowed). The backoff period is generally 2 ^ (num_failures - 1)
863 // days, bounded by the size of int and kAttemptBackoffMaxIntervalInDays, and
864 // fuzzed by kAttemptBackoffFuzzInHours hours. Backoff expiry is computed from
865 // the latest recorded time of error.
866 Time backoff_expiry;
867 if (url_idx >= 0 && is_failure_occurred && may_backoff) {
868 CHECK(!err_time.is_null())
869 << "We must have an error timestamp if a failure occurred!";
870 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
871 POLICY_CHECK_VALUE_AND_FAIL(seed, error);
872 PRNG prng(*seed);
873 int exp = min(update_state.num_failures,
874 static_cast<int>(sizeof(int)) * 8 - 2);
875 TimeDelta backoff_interval = TimeDelta::FromDays(
876 min(1 << exp, kAttemptBackoffMaxIntervalInDays));
877 TimeDelta backoff_fuzz = TimeDelta::FromHours(kAttemptBackoffFuzzInHours);
878 TimeDelta wait_period = FuzzedInterval(&prng, backoff_interval.InSeconds(),
879 backoff_fuzz.InSeconds());
880 backoff_expiry = err_time + wait_period;
881
882 // If the newly computed backoff already expired, nullify it.
883 if (ec->IsWallclockTimeGreaterThan(backoff_expiry))
884 backoff_expiry = Time();
885 }
886
887 result->do_increment_failures = is_failure_occurred;
888 result->backoff_expiry = backoff_expiry;
889 result->url_idx = url_idx;
890 result->url_num_errors = url_num_errors;
891 return EvalStatus::kSucceeded;
892 }
893
UpdateScattering(EvaluationContext * ec,State * state,string * error,UpdateScatteringResult * result,const UpdateState & update_state) const894 EvalStatus ChromeOSPolicy::UpdateScattering(
895 EvaluationContext* ec,
896 State* state,
897 string* error,
898 UpdateScatteringResult* result,
899 const UpdateState& update_state) const {
900 // Preconditions. These stem from the postconditions and usage contract.
901 DCHECK(update_state.scatter_wait_period >= kZeroInterval);
902 DCHECK_GE(update_state.scatter_check_threshold, 0);
903
904 // Set default result values.
905 result->is_scattering = false;
906 result->wait_period = kZeroInterval;
907 result->check_threshold = 0;
908
909 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
910
911 // Ensure that a device policy is loaded.
912 const bool* device_policy_is_loaded_p = ec->GetValue(
913 dp_provider->var_device_policy_is_loaded());
914 if (!(device_policy_is_loaded_p && *device_policy_is_loaded_p))
915 return EvalStatus::kSucceeded;
916
917 // Is scattering enabled by policy?
918 const TimeDelta* scatter_factor_p = ec->GetValue(
919 dp_provider->var_scatter_factor());
920 if (!scatter_factor_p || *scatter_factor_p == kZeroInterval)
921 return EvalStatus::kSucceeded;
922
923 // Obtain a pseudo-random number generator.
924 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
925 POLICY_CHECK_VALUE_AND_FAIL(seed, error);
926 PRNG prng(*seed);
927
928 // Step 1: Maintain the scattering wait period.
929 //
930 // If no wait period was previously determined, or it no longer fits in the
931 // scatter factor, then generate a new one. Otherwise, keep the one we have.
932 TimeDelta wait_period = update_state.scatter_wait_period;
933 if (wait_period == kZeroInterval || wait_period > *scatter_factor_p) {
934 wait_period = TimeDelta::FromSeconds(
935 prng.RandMinMax(1, scatter_factor_p->InSeconds()));
936 }
937
938 // If we surpassed the wait period or the max scatter period associated with
939 // the update, then no wait is needed.
940 Time wait_expires = (update_state.first_seen +
941 min(wait_period, update_state.scatter_wait_period_max));
942 if (ec->IsWallclockTimeGreaterThan(wait_expires))
943 wait_period = kZeroInterval;
944
945 // Step 2: Maintain the update check threshold count.
946 //
947 // If an update check threshold is not specified then generate a new
948 // one.
949 int check_threshold = update_state.scatter_check_threshold;
950 if (check_threshold == 0) {
951 check_threshold = prng.RandMinMax(
952 update_state.scatter_check_threshold_min,
953 update_state.scatter_check_threshold_max);
954 }
955
956 // If the update check threshold is not within allowed range then nullify it.
957 // TODO(garnold) This is compliant with current logic found in
958 // OmahaRequestAction::IsUpdateCheckCountBasedWaitingSatisfied(). We may want
959 // to change it so that it behaves similarly to the wait period case, namely
960 // if the current value exceeds the maximum, we set a new one within range.
961 if (check_threshold > update_state.scatter_check_threshold_max)
962 check_threshold = 0;
963
964 // If the update check threshold is non-zero and satisfied, then nullify it.
965 if (check_threshold > 0 && update_state.num_checks >= check_threshold)
966 check_threshold = 0;
967
968 bool is_scattering = (wait_period != kZeroInterval || check_threshold);
969 EvalStatus ret = EvalStatus::kSucceeded;
970 if (is_scattering && wait_period == update_state.scatter_wait_period &&
971 check_threshold == update_state.scatter_check_threshold)
972 ret = EvalStatus::kAskMeAgainLater;
973 result->is_scattering = is_scattering;
974 result->wait_period = wait_period;
975 result->check_threshold = check_threshold;
976 return ret;
977 }
978
979 } // namespace chromeos_update_manager
980