sideload without holding the whole package in RAM

Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).

We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.

We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host.  This file is then passed to the
verification and installation systems like any other.

To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.

One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem).  We rely on SELinux enforcement to
restrict the set of things that can be accessed.

Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114

1 files changed, 51 insertions, 16 deletions

diff --git a/adb_install.cpp b/adb_install.cpp
index a226ea5..fb7860c 100644
--- a/adb_install.cpp
+++ b/adb_install.cpp
@@ -69,6 +69,10 @@ maybe_restart_adbd() {
     }
 }
 
+// How long (in seconds) we wait for the host to start sending us a
+// package, before timing out.
+#define ADB_INSTALL_TIMEOUT 300
+
 int
 apply_from_adb(RecoveryUI* ui_, int* wipe_cache, const char* install_file) {
     ui = ui_;
@@ -84,27 +88,58 @@ apply_from_adb(RecoveryUI* ui_, int* wipe_cache, const char* install_file) {
         execl("/sbin/recovery", "recovery", "--adbd", NULL);
         _exit(-1);
     }
+
+    // ADB_SIDELOAD_HOST_PATHNAME will start to exist once the host
+    // connects and starts serving a package.  Poll for its
+    // appearance.  (Note that inotify doesn't work with FUSE.)
+    int result;
     int status;
-    // TODO(dougz): there should be a way to cancel waiting for a
-    // package (by pushing some button combo on the device).  For now
-    // you just have to 'adb sideload' a file that's not a valid
-    // package, like "/dev/null".
-    waitpid(child, &status, 0);
+    bool waited = false;
+    struct stat st;
+    for (int i = 0; i < ADB_INSTALL_TIMEOUT; ++i) {
+        if (waitpid(child, &status, WNOHANG) != 0) {
+            result = INSTALL_ERROR;
+            waited = true;
+            break;
+        }
+
+        if (stat(ADB_SIDELOAD_HOST_PATHNAME, &st) != 0) {
+            if (errno == ENOENT && i < ADB_INSTALL_TIMEOUT-1) {
+                sleep(1);
+                continue;
+            } else {
+                ui->Print("\nTimed out waiting for package.\n\n", strerror(errno));
+                result = INSTALL_ERROR;
+                kill(child, SIGKILL);
+                break;
+            }
+        }
+        result = install_package(ADB_SIDELOAD_HOST_PATHNAME, wipe_cache, install_file, false);
+        break;
+    }
+
+    if (!waited) {
+        // Calling stat() on this magic filename signals the minadbd
+        // subprocess to shut down.
+        stat(ADB_SIDELOAD_HOST_EXIT_PATHNAME, &st);
+
+        // TODO(dougz): there should be a way to cancel waiting for a
+        // package (by pushing some button combo on the device).  For now
+        // you just have to 'adb sideload' a file that's not a valid
+        // package, like "/dev/null".
+        waitpid(child, &status, 0);
+    }
+
     if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) {
-        ui->Print("status %d\n", WEXITSTATUS(status));
+        if (WEXITSTATUS(status) == 3) {
+            ui->Print("\nYou need adb 1.0.32 or newer to sideload\nto this device.\n\n");
+        } else if (!WIFSIGNALED(status)) {
+            ui->Print("\n(adbd status %d)\n", WEXITSTATUS(status));
+        }
     }
 
     set_usb_driver(false);
     maybe_restart_adbd();
 
-    struct stat st;
-    if (stat(ADB_SIDELOAD_FILENAME, &st) != 0) {
-        if (errno == ENOENT) {
-            ui->Print("No package received.\n");
-        } else {
-            ui->Print("Error reading package:\n  %s\n", strerror(errno));
-        }
-        return INSTALL_ERROR;
-    }
-    return install_package(ADB_SIDELOAD_FILENAME, wipe_cache, install_file);
+    return result;
 }