[installd] Prepare profiles for app code paths
Implement profile preparation for individual application code paths.
The preparation is:
- create the current profile
- merge the profile from the dex metadata file (if present) into the
reference profile.
Note: currently the current profile is created as part of
InstalldNativeService::createAppData for the entire package. That logic
does not support dex metadata or individual code paths and will be removed
once the PackageManager switches over the new method.
Test: installd_dexopt_test
Bug: 30934496
Change-Id: I2aeddcda7b78017bd46838985bef5f92a79d4573
diff --git a/cmds/installd/InstalldNativeService.cpp b/cmds/installd/InstalldNativeService.cpp
index 1694233..d4dce50 100644
--- a/cmds/installd/InstalldNativeService.cpp
+++ b/cmds/installd/InstalldNativeService.cpp
@@ -2488,5 +2488,17 @@
return ok();
}
+binder::Status InstalldNativeService::prepareAppProfile(const std::string& packageName,
+ int32_t userId, int32_t appId, const std::string& profileName, const std::string& codePath,
+ const std::unique_ptr<std::string>& dexMetadata, bool* _aidl_return) {
+ ENFORCE_UID(AID_SYSTEM);
+ CHECK_ARGUMENT_PACKAGE_NAME(packageName);
+ std::lock_guard<std::recursive_mutex> lock(mLock);
+
+ *_aidl_return = prepare_app_profile(packageName, userId, appId, profileName, codePath,
+ dexMetadata);
+ return ok();
+}
+
} // namespace installd
} // namespace android
diff --git a/cmds/installd/InstalldNativeService.h b/cmds/installd/InstalldNativeService.h
index cef62cd..8af6e24 100644
--- a/cmds/installd/InstalldNativeService.h
+++ b/cmds/installd/InstalldNativeService.h
@@ -131,6 +131,11 @@
binder::Status isQuotaSupported(const std::unique_ptr<std::string>& volumeUuid,
bool* _aidl_return);
+ binder::Status prepareAppProfile(const std::string& packageName,
+ int32_t userId, int32_t appId, const std::string& profileName,
+ const std::string& codePath, const std::unique_ptr<std::string>& dexMetadata,
+ bool* _aidl_return);
+
private:
std::recursive_mutex mLock;
diff --git a/cmds/installd/binder/android/os/IInstalld.aidl b/cmds/installd/binder/android/os/IInstalld.aidl
index c819e98..2123998 100644
--- a/cmds/installd/binder/android/os/IInstalld.aidl
+++ b/cmds/installd/binder/android/os/IInstalld.aidl
@@ -92,4 +92,8 @@
void invalidateMounts();
boolean isQuotaSupported(@nullable @utf8InCpp String uuid);
+
+ boolean prepareAppProfile(@utf8InCpp String packageName,
+ int userId, int appId, @utf8InCpp String profileName, @utf8InCpp String codePath,
+ @nullable @utf8InCpp String dexMetadata);
}
diff --git a/cmds/installd/dexopt.cpp b/cmds/installd/dexopt.cpp
index 37f51e0..65fbdb5 100644
--- a/cmds/installd/dexopt.cpp
+++ b/cmds/installd/dexopt.cpp
@@ -2472,5 +2472,55 @@
return true;
}
+bool prepare_app_profile(const std::string& package_name,
+ userid_t user_id,
+ appid_t app_id,
+ const std::string& profile_name,
+ const std::string& code_path ATTRIBUTE_UNUSED,
+ const std::unique_ptr<std::string>& dex_metadata) {
+ // Prepare the current profile.
+ std::string cur_profile = create_current_profile_path(user_id, package_name, profile_name,
+ /*is_secondary_dex*/ false);
+ uid_t uid = multiuser_get_uid(user_id, app_id);
+ if (fs_prepare_file_strict(cur_profile.c_str(), 0600, uid, uid) != 0) {
+ PLOG(ERROR) << "Failed to prepare " << cur_profile;
+ return false;
+ }
+
+ // Check if we need to install the profile from the dex metadata.
+ if (dex_metadata == nullptr) {
+ return true;
+ }
+
+ // We have a dex metdata. Merge the profile into the reference profile.
+ unique_fd ref_profile_fd = open_reference_profile(uid, package_name, profile_name,
+ /*read_write*/ true, /*is_secondary_dex*/ false);
+ unique_fd dex_metadata_fd(TEMP_FAILURE_RETRY(
+ open(dex_metadata->c_str(), O_RDONLY | O_NOFOLLOW)));
+ std::vector<unique_fd> profiles_fd;
+ profiles_fd.push_back(std::move(dex_metadata_fd));
+
+ pid_t pid = fork();
+ if (pid == 0) {
+ /* child -- drop privileges before continuing */
+ gid_t app_shared_gid = multiuser_get_shared_gid(user_id, app_id);
+ drop_capabilities(app_shared_gid);
+
+ // TODO(calin): the dex metadata profile might embed different names for the
+ // same code path (e.g. YouTube.apk or base.apk, depending on how the initial
+ // profile was captured). We should pass the code path to adjust the names in the profile.
+ run_profman_merge(profiles_fd, ref_profile_fd);
+ exit(42); /* only get here on exec failure */
+ }
+
+ /* parent */
+ int return_code = wait_child(pid);
+ if (!WIFEXITED(return_code)) {
+ PLOG(WARNING) << "profman failed for " << package_name << ":" << profile_name;
+ return false;
+ }
+ return true;
+}
+
} // namespace installd
} // namespace android
diff --git a/cmds/installd/dexopt.h b/cmds/installd/dexopt.h
index a2baf60..29312d2 100644
--- a/cmds/installd/dexopt.h
+++ b/cmds/installd/dexopt.h
@@ -70,6 +70,17 @@
const std::string& pkgname,
const std::string& profile_name);
+// Prepare the app profile for the given code path:
+// - create the current profile using profile_name
+// - merge the profile from the dex metadata file (if present) into
+// the reference profile.
+bool prepare_app_profile(const std::string& package_name,
+ userid_t user_id,
+ appid_t app_id,
+ const std::string& profile_name,
+ const std::string& code_path,
+ const std::unique_ptr<std::string>& dex_metadata);
+
bool delete_odex(const char* apk_path, const char* instruction_set, const char* output_path);
bool reconcile_secondary_dex_file(const std::string& dex_path,
diff --git a/cmds/installd/tests/installd_dexopt_test.cpp b/cmds/installd/tests/installd_dexopt_test.cpp
index 729ac3c..4d6d234 100644
--- a/cmds/installd/tests/installd_dexopt_test.cpp
+++ b/cmds/installd/tests/installd_dexopt_test.cpp
@@ -524,6 +524,33 @@
ASSERT_TRUE(AreFilesEqual(ref_profile_content, ref_profile_));
}
+ // TODO(calin): add dex metadata tests once the ART change is merged.
+ void preparePackageProfile(const std::string& package_name, const std::string& profile_name,
+ bool expected_result) {
+ bool result;
+ binder::Status binder_result = service_->prepareAppProfile(
+ package_name, kTestUserId, kTestAppId, profile_name, /*code path*/ "base.apk",
+ /*dex_metadata*/ nullptr, &result);
+ ASSERT_TRUE(binder_result.isOk());
+ ASSERT_EQ(expected_result, result);
+
+ if (!expected_result) {
+ // Do not check the files if we expect to fail.
+ return;
+ }
+
+ std::string code_path_cur_prof = create_current_profile_path(
+ kTestUserId, package_name, profile_name, /*is_secondary_dex*/ false);
+ std::string code_path_ref_profile = create_reference_profile_path(package_name,
+ profile_name, /*is_secondary_dex*/ false);
+
+ // Check that we created the current profile.
+ CheckFileAccess(code_path_cur_prof, kTestAppUid, kTestAppUid, 0600 | S_IFREG);
+
+ // Without dex metadata we don't generate a reference profile.
+ ASSERT_EQ(-1, access(code_path_ref_profile.c_str(), R_OK));
+ }
+
private:
void TransitionToSystemServer() {
ASSERT_TRUE(DropCapabilities(kSystemUid, kSystemGid));
@@ -666,5 +693,23 @@
CheckFileAccess(ref_profile_dir, kSystemUid, kTestAppGid, 0770 | S_IFDIR);
}
+TEST_F(ProfileTest, ProfilePrepareOk) {
+ LOG(INFO) << "ProfilePrepareOk";
+ preparePackageProfile(package_name_, "split.prof", /*expected_result*/ true);
+}
+
+TEST_F(ProfileTest, ProfilePrepareFailInvalidPackage) {
+ LOG(INFO) << "ProfilePrepareFailInvalidPackage";
+ preparePackageProfile("not.there.package", "split.prof", /*expected_result*/ false);
+}
+
+TEST_F(ProfileTest, ProfilePrepareFailProfileChangedUid) {
+ LOG(INFO) << "ProfilePrepareFailProfileChangedUid";
+ SetupProfiles(/*setup_ref*/ false);
+ // Change the uid on the profile to trigger a failure.
+ ::chown(cur_profile_.c_str(), kTestAppUid + 1, kTestAppGid + 1);
+ preparePackageProfile(package_name_, "primary.prof", /*expected_result*/ false);
+}
+
} // namespace installd
} // namespace android