Don't run postinstall script from untrusted rootfs as part of rollback.

During Rollback, we don't currently verify the other partition is actually
a Chrome OS image. Given that, we can't trust their postinstall (yet).
This CL just has us run our own postinstall which switches partitions.

BUG=chromium:366207
TEST=Unittests + integration run in a VM.

Change-Id: I2d267f8a5eaa7c3c56a18f4aaefdda2709deb0fd
Reviewed-on: https://chromium-review.googlesource.com/196665
Tested-by: Chris Sosa <sosa@chromium.org>
Reviewed-by: Alex Deymo <deymo@chromium.org>
Commit-Queue: Chris Sosa <sosa@chromium.org>
diff --git a/postinstall_runner_action.cc b/postinstall_runner_action.cc
index f8bcc36..1b3af2f 100644
--- a/postinstall_runner_action.cc
+++ b/postinstall_runner_action.cc
@@ -84,7 +84,13 @@
   // Runs the postinstall script asynchronously to free up the main loop while
   // it's running.
   vector<string> command;
-  command.push_back(temp_rootfs_dir_ + kPostinstallScript);
+  if (!install_plan_.download_url.empty()) {
+    command.push_back(temp_rootfs_dir_ + kPostinstallScript);
+  } else {
+    // TODO(sosa): crbug.com/366207.
+    // If we're doing a rollback, just run our own postinstall.
+    command.push_back(kPostinstallScript);
+  }
   command.push_back(install_device);
   if (!Subprocess::Get().Exec(command, StaticCompletePostinstall, this)) {
     CompletePostinstall(1);
diff --git a/postinstall_runner_action_unittest.cc b/postinstall_runner_action_unittest.cc
index 891afc5..be77e08 100644
--- a/postinstall_runner_action_unittest.cc
+++ b/postinstall_runner_action_unittest.cc
@@ -171,6 +171,7 @@
   ObjectFeederAction<InstallPlan> feeder_action;
   InstallPlan install_plan;
   install_plan.install_path = dev;
+  install_plan.download_url = "http://devserver:8080/update";
   install_plan.powerwash_required = powerwash_required;
   feeder_action.set_obj(install_plan);
   PostinstallRunnerAction runner_action(powerwash_marker_file.c_str());