Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_update_engine / e58bddb7f6708f1f9248fad7ee7896a4aeb435c0^! / . / payload_state.h
commite58bddb7f6708f1f9248fad7ee7896a4aeb435c0[log] [tgz]
authorMarton Hunyady <hunyadym@chromium.org>Tue Apr 10 20:27:26 2018 +0200
committerchrome-bot <chrome-bot@chromium.org>Fri Apr 20 02:48:38 2018 -0700
tree158d4ed49d1f275d44d6e518efca61a0b822a99e
parente0b952199bb0609721151b81618ec6ee936d88cd [diff] [blame]
update_engine: Don't do force updates after rollback.

If the device was rolled back via enterprise policy since the
last update check where policy was present, we shouldn't do a
forced update, because this could lead to an infinite
rollback-update loop.

This is achieved by adding a new pref 'rollback-happened' to
'powerwash_safe_prefs'. This creates a file at '/mnt/
stateful_partition/unencrypted/preserve/update_engine/prefs/
rollback-happened', which is not deleted during powerwash
(crrev.com/c/1005180). If this file exists after powerwash and
its content is 'true', it means the device was rolled back, and
forced updates must not be applied before the device is enrolled
and policy is available again.

When an update check happens and policy is available or device
becomes a consumer device, the file is deleted.

BUG=chromium:831266
TEST='cros_run_unit_tests --board=cyan --packages update_engine'

Change-Id: I0a06696701530c93d4ed388c42e43b65fe78f777
Reviewed-on: https://chromium-review.googlesource.com/1005181
Commit-Ready: Marton Hunyady <hunyadym@chromium.org>
Tested-by: Marton Hunyady <hunyadym@chromium.org>
Reviewed-by: Amin Hassani <ahassani@chromium.org>

diff --git a/payload_state.h b/payload_state.h
index 4ec5bf9..0868a10 100644
--- a/payload_state.h
+++ b/payload_state.h

@@ -120,6 +120,10 @@
 
   void UpdateEngineStarted() override;
 
+  inline bool GetRollbackHappened() override { return rollback_happened_; }
+
+  void SetRollbackHappened(bool rollback_happened) override;
+
   inline std::string GetRollbackVersion() override {
     return rollback_version_;
   }
@@ -167,6 +171,7 @@
   FRIEND_TEST(PayloadStateTest, RebootAfterUpdateFailedMetric);
   FRIEND_TEST(PayloadStateTest, RebootAfterUpdateSucceed);
   FRIEND_TEST(PayloadStateTest, RebootAfterCanceledUpdate);
+  FRIEND_TEST(PayloadStateTest, RollbackHappened);
   FRIEND_TEST(PayloadStateTest, RollbackVersion);
   FRIEND_TEST(PayloadStateTest, UpdateSuccessWithWipedPrefs);
 
@@ -364,6 +369,10 @@
                                uint64_t total_bytes_downloaded,
                                bool log);
 
+  // Loads whether rollback has happened on this device since the last update
+  // check where policy was available. This info is preserved over powerwash.
+  void LoadRollbackHappened();
+
   // Loads the blacklisted version from our prefs file.
   void LoadRollbackVersion();
 
@@ -552,6 +561,11 @@
   // allowed as per device policy.
   std::vector<std::vector<std::string>> candidate_urls_;
 
+  // This stores whether rollback has happened since the last time device policy
+  // was available during update check. When this is set, we're preventing
+  // forced updates to avoid update-rollback loops.
+  bool rollback_happened_;
+
   // This stores a blacklisted version set as part of rollback. When we rollback
   // we store the version of the os from which we are rolling back from in order
   // to guarantee that we do not re-update to it on the next au attempt after