services/core/java/com/android/server/webkit/WebViewUpdateService.java

/*
 * Copyright (C) 2012 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.server.webkit;

import android.app.ActivityManagerNative;
import android.app.AppGlobals;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.content.pm.ApplicationInfo;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.os.Binder;
import android.os.Process;
import android.os.RemoteException;
import android.provider.Settings;
import android.provider.Settings.Secure;
import android.util.AndroidRuntimeException;
import android.util.Slog;
import android.webkit.IWebViewUpdateService;
import android.webkit.WebViewProviderInfo;
import android.webkit.WebViewProviderResponse;
import android.webkit.WebViewFactory;

import com.android.server.SystemService;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;

/**
 * Private service to wait for the updatable WebView to be ready for use.
 * @hide
 */
public class WebViewUpdateService extends SystemService {

    private static final String TAG = "WebViewUpdateService";
    private static final int WAIT_TIMEOUT_MS = 4500; // KEY_DISPATCHING_TIMEOUT is 5000.

    // Keeps track of the number of running relro creations
    private int mNumRelroCreationsStarted = 0;
    private int mNumRelroCreationsFinished = 0;
    // Implies that we need to rerun relro creation because we are using an out-of-date package
    private boolean mWebViewPackageDirty = false;
    // Set to true when the current provider is being replaced
    private boolean mCurrentProviderBeingReplaced = false;
    private boolean mAnyWebViewInstalled = false;

    private int NUMBER_OF_RELROS_UNKNOWN = Integer.MAX_VALUE;

    // The WebView package currently in use (or the one we are preparing).
    private PackageInfo mCurrentWebViewPackage = null;
    // The WebView providers that are currently available.
    private WebViewProviderInfo[] mCurrentValidWebViewPackages = null;

    private BroadcastReceiver mWebViewUpdatedReceiver;

    public WebViewUpdateService(Context context) {
        super(context);
    }

    @Override
    public void onStart() {
        mWebViewUpdatedReceiver = new BroadcastReceiver() {
                @Override
                public void onReceive(Context context, Intent intent) {
                    // When a package is replaced we will receive two intents, one representing
                    // the removal of the old package and one representing the addition of the
                    // new package.
                    // In the case where we receive an intent to remove the old version of the
                    // package that is being replaced we set a flag here and early-out so that we
                    // don't change provider while replacing the current package (we will instead
                    // change provider when the new version of the package is being installed).
                    if (intent.getAction().equals(Intent.ACTION_PACKAGE_REMOVED)
                        && intent.getExtras().getBoolean(Intent.EXTRA_REPLACING)) {
                        synchronized(this) {
                            if (mCurrentWebViewPackage == null) return;

                            String webViewPackage = "package:" + mCurrentWebViewPackage.packageName;
                            if (webViewPackage.equals(intent.getDataString()))
                                mCurrentProviderBeingReplaced = true;
                        }

                        return;
                    }

                    for (WebViewProviderInfo provider : WebViewFactory.getWebViewPackages()) {
                        String webviewPackage = "package:" + provider.packageName;

                        if (webviewPackage.equals(intent.getDataString())) {
                            boolean updateWebView = false;
                            boolean removedOldPackage = false;
                            String oldProviderName = null;
                            PackageInfo newPackage = null;
                            synchronized(WebViewUpdateService.this) {
                                try {
                                    updateValidWebViewPackages();
                                    newPackage = findPreferredWebViewPackage();
                                    if (mCurrentWebViewPackage != null)
                                        oldProviderName = mCurrentWebViewPackage.packageName;
                                    // Only trigger update actions if the updated package is the one
                                    // that will be used, or the one that was in use before the
                                    // update, or if we haven't seen a valid WebView package before.
                                    updateWebView =
                                        provider.packageName.equals(newPackage.packageName)
                                        || provider.packageName.equals(oldProviderName)
                                        || mCurrentWebViewPackage == null;
                                    // We removed the old package if we received an intent to remove
                                    // or replace the old package.
                                    removedOldPackage =
                                        provider.packageName.equals(oldProviderName);
                                    if (updateWebView) {
                                        onWebViewProviderChanged(newPackage);
                                    }
                                } catch (WebViewFactory.MissingWebViewPackageException e) {
                                    Slog.e(TAG, "Could not find valid WebView package to create " +
                                            "relro with " + e);
                                }
                            }
                            if(updateWebView && !removedOldPackage && oldProviderName != null) {
                                // If the provider change is the result of adding or replacing a
                                // package that was not the previous provider then we must kill
                                // packages dependent on the old package ourselves. The framework
                                // only kills dependents of packages that are being removed.
                                try {
                                    ActivityManagerNative.getDefault().killPackageDependents(
                                        oldProviderName, getContext().getUserId());
                                } catch (RemoteException e) {
                                }
                            }
                            return;
                        }
                    }
                }
        };
        IntentFilter filter = new IntentFilter();
        filter.addAction(Intent.ACTION_PACKAGE_ADDED);
        filter.addAction(Intent.ACTION_PACKAGE_REMOVED);
        filter.addDataScheme("package");
        getContext().registerReceiver(mWebViewUpdatedReceiver, filter);

        publishBinderService("webviewupdate", new BinderService());
    }

    /**
     * Perform any WebView loading preparations that must happen at boot from the system server,
     * after the package manager has started or after an update to the webview is installed.
     * This must be called in the system server.
     * Currently, this means spawning the child processes which will create the relro files.
     */
    public void prepareWebViewInSystemServer() {
        try {
            synchronized(this) {
                updateValidWebViewPackages();
                mCurrentWebViewPackage = findPreferredWebViewPackage();
                onWebViewProviderChanged(mCurrentWebViewPackage);
            }
        } catch (Throwable t) {
            // Log and discard errors at this stage as we must not crash the system server.
            Slog.e(TAG, "error preparing webview provider from system server", t);
        }
    }


    /**
     * Change WebView provider and provider setting and kill packages using the old provider.
     */
    private void changeProviderAndSetting(String newProviderName) {
        PackageInfo oldPackage = null;
        PackageInfo newPackage = null;
        synchronized(this) {
            oldPackage = mCurrentWebViewPackage;
            updateUserSetting(newProviderName);

            try {
                newPackage = findPreferredWebViewPackage();
                if (oldPackage != null && newPackage.packageName.equals(oldPackage.packageName)) {
                    // If we don't perform the user change, revert the settings change.
                    updateUserSetting(newPackage.packageName);
                    return;
                }
            } catch (WebViewFactory.MissingWebViewPackageException e) {
                Slog.e(TAG, "Tried to change WebView provider but failed to fetch WebView package "
                        + e);
                // If we don't perform the user change but don't have an installed WebView package,
                // we will have changed the setting and it will be used when a package is available.
                return;
            }
            onWebViewProviderChanged(newPackage);
        }
        // Kill apps using the old provider
        try {
            if (oldPackage != null) {
                ActivityManagerNative.getDefault().killPackageDependents(
                        oldPackage.packageName, getContext().getUserId());
            }
        } catch (RemoteException e) {
        }
        return;
    }

    /**
     * This is called when we change WebView provider, either when the current provider is updated
     * or a new provider is chosen / takes precedence.
     */
    private void onWebViewProviderChanged(PackageInfo newPackage) {
        synchronized(this) {
            mAnyWebViewInstalled = true;
            // If we have changed provider then the replacement of the old provider is
            // irrelevant - we can only have chosen a new provider if its package is available.
            mCurrentProviderBeingReplaced = false;
            if (mNumRelroCreationsStarted == mNumRelroCreationsFinished) {
                mCurrentWebViewPackage = newPackage;
                updateUserSetting(newPackage.packageName);

                // The relro creations might 'finish' (not start at all) before
                // WebViewFactory.onWebViewProviderChanged which means we might not know the number
                // of started creations before they finish.
                mNumRelroCreationsStarted = NUMBER_OF_RELROS_UNKNOWN;
                mNumRelroCreationsFinished = 0;
                mNumRelroCreationsStarted = WebViewFactory.onWebViewProviderChanged(newPackage);
                // If the relro creations finish before we know the number of started creations we
                // will have to do any cleanup/notifying here.
                checkIfRelrosDoneLocked();
            } else {
                mWebViewPackageDirty = true;
            }
        }
    }

    /**
     * Updates the currently valid WebView provider packages.
     * Should be used when a provider has been installed or removed.
     * @hide
     * */
    private void updateValidWebViewPackages() {
        List<WebViewProviderInfo> webViewProviders  =
            new ArrayList<WebViewProviderInfo>(Arrays.asList(WebViewFactory.getWebViewPackages()));
        Iterator<WebViewProviderInfo> it = webViewProviders.iterator();
        // remove non-valid packages
        while(it.hasNext()) {
            WebViewProviderInfo current = it.next();
            if (!current.isValidProvider())
                it.remove();
        }
        synchronized(this) {
            mCurrentValidWebViewPackages =
                webViewProviders.toArray(new WebViewProviderInfo[webViewProviders.size()]);
        }
    }

    private static String getUserChosenWebViewProvider() {
        return Settings.Secure.getString(AppGlobals.getInitialApplication().getContentResolver(),
                Settings.Secure.WEBVIEW_PROVIDER);
    }

    private void updateUserSetting(String newProviderName) {
        Settings.Secure.putString(getContext().getContentResolver(),
                Settings.Secure.WEBVIEW_PROVIDER,
                newProviderName == null ? "" : newProviderName);
    }

    /**
     * Returns either the package info of the WebView provider determined in the following way:
     * If the user has chosen a provider then use that if it is valid,
     * otherwise use the first package in the webview priority list that is valid.
     *
     * @hide
     */
    private PackageInfo findPreferredWebViewPackage() {
        WebViewProviderInfo[] providers = mCurrentValidWebViewPackages;

        String userChosenProvider = getUserChosenWebViewProvider();

        // If the user has chosen provider, use that
        for (WebViewProviderInfo provider : providers) {
            if (provider.packageName.equals(userChosenProvider)) {
                return provider.getPackageInfo();
            }
        }

        // User did not choose, or the choice failed, use the most stable provider available
        for (WebViewProviderInfo provider : providers) {
            return provider.getPackageInfo();
        }
        mAnyWebViewInstalled = false;
        throw new WebViewFactory.MissingWebViewPackageException(
                "Could not find a loadable WebView package");
    }

    /**
     * Returns whether WebView is ready and is not going to go through its preparation phase again
     * directly.
     */
    private boolean webViewIsReadyLocked() {
        return !mWebViewPackageDirty
            && (mNumRelroCreationsStarted == mNumRelroCreationsFinished)
            && !mCurrentProviderBeingReplaced
            // The current package might be replaced though we haven't received an intent declaring
            // this yet, the following flag makes anyone loading WebView to wait in this case.
            && mAnyWebViewInstalled;
    }

    private void checkIfRelrosDoneLocked() {
        if (mNumRelroCreationsStarted == mNumRelroCreationsFinished) {
            if (mWebViewPackageDirty) {
                mWebViewPackageDirty = false;
                // If we have changed provider since we started the relro creation we need to
                // redo the whole process using the new package instead.
                // Though, if the current provider package is being replaced we don't want to change
                // provider here since we will perform the change either when the package is added
                // again or when we switch to another provider (whichever comes first).
                if (!mCurrentProviderBeingReplaced) {
                    PackageInfo newPackage = findPreferredWebViewPackage();
                    onWebViewProviderChanged(newPackage);
                }
            } else {
                this.notifyAll();
            }
        }
    }

    private class BinderService extends IWebViewUpdateService.Stub {

        /**
         * The shared relro process calls this to notify us that it's done trying to create a relro
         * file. This method gets called even if the relro creation has failed or the process
         * crashed.
         */
        @Override // Binder call
        public void notifyRelroCreationCompleted() {
            // Verify that the caller is either the shared relro process (nominal case) or the
            // system server (only in the case the relro process crashes and we get here via the
            // crashHandler).
            if (Binder.getCallingUid() != Process.SHARED_RELRO_UID &&
                    Binder.getCallingUid() != Process.SYSTEM_UID) {
                return;
            }

            synchronized (WebViewUpdateService.this) {
                mNumRelroCreationsFinished++;
                checkIfRelrosDoneLocked();
            }
        }

        /**
         * WebViewFactory calls this to block WebView loading until the relro file is created.
         * Returns the WebView provider for which we create relro files.
         */
        @Override // Binder call
        public WebViewProviderResponse waitForAndGetProvider() {
            // The WebViewUpdateService depends on the prepareWebViewInSystemServer call, which
            // happens later (during the PHASE_ACTIVITY_MANAGER_READY) in SystemServer.java. If
            // another service there tries to bring up a WebView in the between, the wait below
            // would deadlock without the check below.
            if (Binder.getCallingPid() == Process.myPid()) {
                throw new IllegalStateException("Cannot create a WebView from the SystemServer");
            }

            PackageInfo webViewPackage = null;
            final long NS_PER_MS = 1000000;
            final long timeoutTimeMs = System.nanoTime() / NS_PER_MS + WAIT_TIMEOUT_MS;
            boolean webViewReady = false;
            int webViewStatus = WebViewFactory.LIBLOAD_SUCCESS;
            synchronized (WebViewUpdateService.this) {
                webViewReady = WebViewUpdateService.this.webViewIsReadyLocked();
                while (!webViewReady) {
                    final long timeNowMs = System.nanoTime() / NS_PER_MS;
                    if (timeNowMs >= timeoutTimeMs) break;
                    try {
                        WebViewUpdateService.this.wait(timeoutTimeMs - timeNowMs);
                    } catch (InterruptedException e) {}
                    webViewReady = WebViewUpdateService.this.webViewIsReadyLocked();
                }
                // Make sure we return the provider that was used to create the relro file
                webViewPackage = WebViewUpdateService.this.mCurrentWebViewPackage;
                if (webViewReady) {
                } else if (mCurrentProviderBeingReplaced) {
                    // It is important that we check this flag before the one representing WebView
                    // being installed, otherwise we might think there is no WebView though the
                    // current one is just being replaced.
                    webViewStatus = WebViewFactory.LIBLOAD_WEBVIEW_BEING_REPLACED;
                } else if (!mAnyWebViewInstalled) {
                    webViewStatus = WebViewFactory.LIBLOAD_FAILED_LISTING_WEBVIEW_PACKAGES;
                } else {
                    // Either the current relro creation  isn't done yet, or the new relro creatioin
                    // hasn't kicked off yet (the last relro creation used an out-of-date WebView).
                    webViewStatus = WebViewFactory.LIBLOAD_FAILED_WAITING_FOR_RELRO;
                }
            }
            if (!webViewReady) Slog.w(TAG, "creating relro file timed out");
            return new WebViewProviderResponse(webViewPackage, webViewStatus);
        }

        /**
         * This is called from DeveloperSettings when the user changes WebView provider.
         */
        @Override // Binder call
        public void changeProviderAndSetting(String newProvider) {
            if (getContext().checkCallingPermission(
                        android.Manifest.permission.WRITE_SECURE_SETTINGS)
                    != PackageManager.PERMISSION_GRANTED) {
                String msg = "Permission Denial: changeProviderAndSetting() from pid="
                        + Binder.getCallingPid()
                        + ", uid=" + Binder.getCallingUid()
                        + " requires " + android.Manifest.permission.WRITE_SECURE_SETTINGS;
                Slog.w(TAG, msg);
                throw new SecurityException(msg);
            }

            WebViewUpdateService.this.changeProviderAndSetting(newProvider);
        }

        @Override // Binder call
        public WebViewProviderInfo[] getValidWebViewPackages() {
            synchronized(WebViewUpdateService.this) {
                return mCurrentValidWebViewPackages;
            }
        }

        @Override // Binder call
        public String getCurrentWebViewPackageName() {
            synchronized(WebViewUpdateService.this) {
                if (WebViewUpdateService.this.mCurrentWebViewPackage == null)
                    return null;
                return WebViewUpdateService.this.mCurrentWebViewPackage.packageName;
            }
        }
    }
}