Enable runtime turndown of backup/restore services

The heavy implementation of the backup manager service is now sitting
behind a lightweight trampoline that actually provides the binder
call interface.  The indirection allows us now to tear down the
implementation on the fly without breaking callers who have cached
binder references to the backup services: these callers will simply
see their future invocations failing benignly.

In addition there is now an API for suitably privileged callers such
as device policy management to effect this turndown.

Finally, there is now a static system property, "ro.backup.disable",
that a product can use to outright remove backup/restore operation
from the system's operation.  The public APIs will continue to be
safely usable on such products but no data will be moved to or
from the device.

Bug 17367491

Change-Id: I8108e386ef3b5c967938fae483366d6978fe4e04

1 files changed, 19 insertions, 18 deletions

diff --git a/services/backup/java/com/android/server/backup/BackupManagerService.java b/services/backup/java/com/android/server/backup/BackupManagerService.java
index fea1a7a..6c2681b 100644
--- a/services/backup/java/com/android/server/backup/BackupManagerService.java
+++ b/services/backup/java/com/android/server/backup/BackupManagerService.java
@@ -153,7 +153,7 @@ import javax.crypto.spec.SecretKeySpec;
 
 import libcore.io.IoUtils;
 
-public class BackupManagerService extends IBackupManager.Stub {
+public class BackupManagerService {
 
     private static final String TAG = "BackupManagerService";
     private static final boolean DEBUG = true;
@@ -322,8 +322,12 @@ public class BackupManagerService extends IBackupManager.Stub {
     // Watch the device provisioning operation during setup
     ContentObserver mProvisionedObserver;
 
-    static BackupManagerService sInstance;
-    static BackupManagerService getInstance() {
+    // The published binder is actually to a singleton trampoline object that calls
+    // through to the proper code.  This indirection lets us turn down the heavy
+    // implementation object on the fly without disturbing binders that have been
+    // cached elsewhere in the system.
+    static Trampoline sInstance;
+    static Trampoline getInstance() {
         // Always constructed during system bringup, so no need to lazy-init
         return sInstance;
     }
@@ -332,7 +336,7 @@ public class BackupManagerService extends IBackupManager.Stub {
 
         public Lifecycle(Context context) {
             super(context);
-            sInstance = new BackupManagerService(context);
+            sInstance = new Trampoline(context);
         }
 
         @Override
@@ -342,11 +346,17 @@ public class BackupManagerService extends IBackupManager.Stub {
 
         @Override
         public void onBootPhase(int phase) {
-            if (phase == PHASE_THIRD_PARTY_APPS_CAN_START) {
+            if (phase == PHASE_SYSTEM_SERVICES_READY) {
+                sInstance.initialize(UserHandle.USER_OWNER);
+            } else if (phase == PHASE_THIRD_PARTY_APPS_CAN_START) {
                 ContentResolver r = sInstance.mContext.getContentResolver();
                 boolean areEnabled = Settings.Secure.getInt(r,
                         Settings.Secure.BACKUP_ENABLED, 0) != 0;
-                sInstance.setBackupEnabled(areEnabled);
+                try {
+                    sInstance.setBackupEnabled(areEnabled);
+                } catch (RemoteException e) {
+                    // can't happen; it's a local object
+                }
             }
         }
     }
@@ -934,7 +944,7 @@ public class BackupManagerService extends IBackupManager.Stub {
 
     // ----- Main service implementation -----
 
-    public BackupManagerService(Context context) {
+    public BackupManagerService(Context context, Trampoline parent) {
         mContext = context;
         mPackageManager = context.getPackageManager();
         mPackageManagerBinder = AppGlobals.getPackageManager();
@@ -944,7 +954,7 @@ public class BackupManagerService extends IBackupManager.Stub {
         mPowerManager = (PowerManager) context.getSystemService(Context.POWER_SERVICE);
         mMountService = IMountService.Stub.asInterface(ServiceManager.getService("mount"));
 
-        mBackupManagerBinder = asInterface(asBinder());
+        mBackupManagerBinder = Trampoline.asInterface(parent.asBinder());
 
         // spin up the backup/restore handler thread
         mHandlerThread = new HandlerThread("backup", Process.THREAD_PRIORITY_BACKGROUND);
@@ -1451,7 +1461,6 @@ public class BackupManagerService extends IBackupManager.Stub {
         return false;
     }
 
-    @Override
     public boolean setBackupPassword(String currentPw, String newPw) {
         mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
                 "setBackupPassword");
@@ -1532,7 +1541,6 @@ public class BackupManagerService extends IBackupManager.Stub {
         return false;
     }
 
-    @Override
     public boolean hasBackupPassword() {
         mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
                 "hasBackupPassword");
@@ -8145,7 +8153,6 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
     //
     // This is the variant used by 'adb backup'; it requires on-screen confirmation
     // by the user because it can be used to offload data over untrusted USB.
-    @Override
     public void fullBackup(ParcelFileDescriptor fd, boolean includeApks,
             boolean includeObbs, boolean includeShared, boolean doWidgets,
             boolean doAllApps, boolean includeSystem, boolean compress, String[] pkgList) {
@@ -8217,7 +8224,6 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
         }
     }
 
-    @Override
     public void fullTransportBackup(String[] pkgNames) {
         mContext.enforceCallingPermission(android.Manifest.permission.BACKUP,
                 "fullTransportBackup");
@@ -8247,7 +8253,6 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
         }
     }
 
-    @Override
     public void fullRestore(ParcelFileDescriptor fd) {
         mContext.enforceCallingPermission(android.Manifest.permission.BACKUP, "fullRestore");
 
@@ -8343,7 +8348,6 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
 
     // Confirm that the previously-requested full backup/restore operation can proceed.  This
     // is used to require a user-facing disclosure about the operation.
-    @Override
     public void acknowledgeFullBackupOrRestore(int token, boolean allow,
             String curPassword, String encPpassword, IFullBackupRestoreObserver observer) {
         if (DEBUG) Slog.d(TAG, "acknowledgeFullBackupOrRestore : token=" + token
@@ -8391,8 +8395,7 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
         }
     }
 
-    // Enable/disable the backup service
-    @Override
+    // Enable/disable backups
     public void setBackupEnabled(boolean enable) {
         mContext.enforceCallingOrSelfPermission(android.Manifest.permission.BACKUP,
                 "setBackupEnabled");
@@ -8798,7 +8801,6 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
 
     // Note that a currently-active backup agent has notified us that it has
     // completed the given outstanding asynchronous backup/restore operation.
-    @Override
     public void opComplete(int token) {
         if (MORE_DEBUG) Slog.v(TAG, "opComplete: " + Integer.toHexString(token));
         Operation op = null;
@@ -9147,7 +9149,6 @@ if (MORE_DEBUG) Slog.v(TAG, "   + got " + nRead + "; now wanting " + (size - soF
         }
     }
 
-    @Override
     public void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
         mContext.enforceCallingOrSelfPermission(android.Manifest.permission.DUMP, TAG);