| // Copyright (c) 2014 The Chromium OS Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "update_engine/update_manager/chromeos_policy.h" |
| |
| #include <algorithm> |
| #include <set> |
| #include <string> |
| |
| #include <base/logging.h> |
| #include <base/time/time.h> |
| |
| #include "update_engine/update_manager/device_policy_provider.h" |
| #include "update_engine/update_manager/policy_utils.h" |
| #include "update_engine/update_manager/shill_provider.h" |
| |
| using base::Time; |
| using base::TimeDelta; |
| using std::min; |
| using std::set; |
| using std::string; |
| |
| namespace chromeos_update_manager { |
| |
| EvalStatus ChromeOSPolicy::UpdateCheckAllowed( |
| EvaluationContext* ec, State* state, string* error, |
| UpdateCheckParams* result) const { |
| Time next_update_check; |
| if (NextUpdateCheckTime(ec, state, error, &next_update_check) != |
| EvalStatus::kSucceeded) { |
| return EvalStatus::kFailed; |
| } |
| |
| if (!ec->IsTimeGreaterThan(next_update_check)) |
| return EvalStatus::kAskMeAgainLater; |
| |
| // It is time to check for an update. |
| result->updates_enabled = true; |
| return EvalStatus::kSucceeded; |
| } |
| |
| EvalStatus ChromeOSPolicy::UpdateCanStart( |
| EvaluationContext* ec, |
| State* state, |
| string* error, |
| UpdateCanStartResult* result, |
| const bool interactive, |
| const UpdateState& update_state) const { |
| // Set the default return values. |
| result->update_can_start = true; |
| result->http_allowed = true; |
| result->p2p_allowed = false; |
| result->target_channel.clear(); |
| result->cannot_start_reason = UpdateCannotStartReason::kUndefined; |
| result->scatter_wait_period = kZeroInterval; |
| result->scatter_check_threshold = 0; |
| |
| // Make sure that we're not due for an update check. |
| UpdateCheckParams check_result; |
| EvalStatus check_status = UpdateCheckAllowed(ec, state, error, &check_result); |
| if (check_status == EvalStatus::kFailed) |
| return EvalStatus::kFailed; |
| if (check_status == EvalStatus::kSucceeded && |
| check_result.updates_enabled == true) { |
| result->update_can_start = false; |
| result->cannot_start_reason = UpdateCannotStartReason::kCheckDue; |
| return EvalStatus::kSucceeded; |
| } |
| |
| DevicePolicyProvider* const dp_provider = state->device_policy_provider(); |
| SystemProvider* const system_provider = state->system_provider(); |
| |
| const bool* device_policy_is_loaded_p = ec->GetValue( |
| dp_provider->var_device_policy_is_loaded()); |
| if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { |
| // Ensure that update is enabled. |
| const bool* update_disabled_p = ec->GetValue( |
| dp_provider->var_update_disabled()); |
| if (update_disabled_p && *update_disabled_p) { |
| result->update_can_start = false; |
| result->cannot_start_reason = UpdateCannotStartReason::kDisabledByPolicy; |
| return EvalStatus::kAskMeAgainLater; |
| } |
| |
| // Check whether scattering applies to this update attempt. We should not be |
| // scattering if this is an interactive update check, or if OOBE is enabled |
| // but not completed. |
| // |
| // Note: current code further suppresses scattering if a "deadline" |
| // attribute is found in the Omaha response. However, it appears that the |
| // presence of this attribute is merely indicative of an OOBE update, during |
| // which we suppress scattering anyway. |
| bool scattering_applies = false; |
| if (!interactive) { |
| const bool* is_oobe_enabled_p = ec->GetValue( |
| state->config_provider()->var_is_oobe_enabled()); |
| if (is_oobe_enabled_p && !(*is_oobe_enabled_p)) { |
| scattering_applies = true; |
| } else { |
| const bool* is_oobe_complete_p = ec->GetValue( |
| system_provider->var_is_oobe_complete()); |
| scattering_applies = (is_oobe_complete_p && *is_oobe_complete_p); |
| } |
| } |
| |
| // Compute scattering values. |
| if (scattering_applies) { |
| UpdateScatteringResult scatter_result; |
| EvalStatus scattering_status = UpdateScattering( |
| ec, state, error, &scatter_result, update_state); |
| if (scattering_status != EvalStatus::kSucceeded || |
| scatter_result.is_scattering) { |
| if (scattering_status != EvalStatus::kFailed) { |
| result->update_can_start = false; |
| result->cannot_start_reason = UpdateCannotStartReason::kScattering; |
| result->scatter_wait_period = scatter_result.wait_period; |
| result->scatter_check_threshold = scatter_result.check_threshold; |
| } |
| return scattering_status; |
| } |
| } |
| |
| // Determine whether HTTP downloads are forbidden by policy. This only |
| // applies to official system builds; otherwise, HTTP is always enabled. |
| const bool* is_official_build_p = ec->GetValue( |
| system_provider->var_is_official_build()); |
| if (is_official_build_p && *is_official_build_p) { |
| const bool* policy_http_downloads_enabled_p = ec->GetValue( |
| dp_provider->var_http_downloads_enabled()); |
| result->http_allowed = |
| !policy_http_downloads_enabled_p || *policy_http_downloads_enabled_p; |
| } |
| |
| // Determine whether use of P2P is allowed by policy. |
| const bool* policy_au_p2p_enabled_p = ec->GetValue( |
| dp_provider->var_au_p2p_enabled()); |
| result->p2p_allowed = policy_au_p2p_enabled_p && *policy_au_p2p_enabled_p; |
| |
| // Determine whether a target channel is dictated by policy. |
| const bool* release_channel_delegated_p = ec->GetValue( |
| dp_provider->var_release_channel_delegated()); |
| if (release_channel_delegated_p && !(*release_channel_delegated_p)) { |
| const string* release_channel_p = ec->GetValue( |
| dp_provider->var_release_channel()); |
| if (release_channel_p) |
| result->target_channel = *release_channel_p; |
| } |
| } |
| |
| // Enable P2P, if so mandated by the updater configuration. |
| if (!result->p2p_allowed) { |
| const bool* updater_p2p_enabled_p = ec->GetValue( |
| state->updater_provider()->var_p2p_enabled()); |
| result->p2p_allowed = updater_p2p_enabled_p && *updater_p2p_enabled_p; |
| } |
| |
| return EvalStatus::kSucceeded; |
| } |
| |
| EvalStatus ChromeOSPolicy::NextUpdateCheckTime(EvaluationContext* ec, |
| State* state, string* error, |
| Time* next_update_check) const { |
| // Don't check for updates too often. We limit the update checks to once every |
| // some interval. The interval is kTimeoutInitialInterval the first time and |
| // kTimeoutPeriodicInterval for the subsequent update checks. If the update |
| // check fails, we increase the interval between the update checks |
| // exponentially until kTimeoutMaxBackoffInterval. Finally, to avoid having |
| // many chromebooks running update checks at the exact same time, we add some |
| // fuzz to the interval. |
| const Time* updater_started_time = |
| ec->GetValue(state->updater_provider()->var_updater_started_time()); |
| POLICY_CHECK_VALUE_AND_FAIL(updater_started_time, error); |
| |
| const base::Time* last_checked_time = |
| ec->GetValue(state->updater_provider()->var_last_checked_time()); |
| |
| const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed()); |
| POLICY_CHECK_VALUE_AND_FAIL(seed, error); |
| |
| PRNG prng(*seed); |
| |
| if (!last_checked_time || *last_checked_time < *updater_started_time) { |
| // First attempt. |
| *next_update_check = *updater_started_time + FuzzedInterval( |
| &prng, kTimeoutInitialInterval, kTimeoutRegularFuzz); |
| return EvalStatus::kSucceeded; |
| } |
| // Check for previous failed attempts to implement the exponential backoff. |
| const unsigned int* consecutive_failed_update_checks = ec->GetValue( |
| state->updater_provider()->var_consecutive_failed_update_checks()); |
| POLICY_CHECK_VALUE_AND_FAIL(consecutive_failed_update_checks, error); |
| |
| int interval = kTimeoutInitialInterval; |
| for (unsigned int i = 0; i < *consecutive_failed_update_checks; ++i) { |
| interval *= 2; |
| if (interval > kTimeoutMaxBackoffInterval) { |
| interval = kTimeoutMaxBackoffInterval; |
| break; |
| } |
| } |
| |
| *next_update_check = *last_checked_time + FuzzedInterval( |
| &prng, interval, kTimeoutRegularFuzz); |
| return EvalStatus::kSucceeded; |
| } |
| |
| TimeDelta ChromeOSPolicy::FuzzedInterval(PRNG* prng, int interval, int fuzz) { |
| DCHECK_GE(interval, 0); |
| DCHECK_GE(fuzz, 0); |
| int half_fuzz = fuzz / 2; |
| // This guarantees the output interval is non negative. |
| int interval_min = std::max(interval - half_fuzz, 0); |
| int interval_max = interval + half_fuzz; |
| return TimeDelta::FromSeconds(prng->RandMinMax(interval_min, interval_max)); |
| } |
| |
| EvalStatus ChromeOSPolicy::UpdateScattering( |
| EvaluationContext* ec, |
| State* state, |
| string* error, |
| UpdateScatteringResult* result, |
| const UpdateState& update_state) const { |
| // Preconditions. These stem from the postconditions and usage contract. |
| DCHECK(update_state.scatter_wait_period >= kZeroInterval); |
| DCHECK_GE(update_state.scatter_check_threshold, 0); |
| |
| // Set default result values. |
| result->is_scattering = false; |
| result->wait_period = kZeroInterval; |
| result->check_threshold = 0; |
| |
| DevicePolicyProvider* const dp_provider = state->device_policy_provider(); |
| |
| // Ensure that a device policy is loaded. |
| const bool* device_policy_is_loaded_p = ec->GetValue( |
| dp_provider->var_device_policy_is_loaded()); |
| if (!(device_policy_is_loaded_p && *device_policy_is_loaded_p)) |
| return EvalStatus::kSucceeded; |
| |
| // Is scattering enabled by policy? |
| const TimeDelta* scatter_factor_p = ec->GetValue( |
| dp_provider->var_scatter_factor()); |
| if (!scatter_factor_p || *scatter_factor_p == kZeroInterval) |
| return EvalStatus::kSucceeded; |
| |
| // Obtain a pseudo-random number generator. |
| const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed()); |
| POLICY_CHECK_VALUE_AND_FAIL(seed, error); |
| PRNG prng(*seed); |
| |
| // Step 1: Maintain the scattering wait period. |
| // |
| // If no wait period was previously determined, or it no longer fits in the |
| // scatter factor, then generate a new one. Otherwise, keep the one we have. |
| TimeDelta wait_period = update_state.scatter_wait_period; |
| if (wait_period == kZeroInterval || wait_period > *scatter_factor_p) { |
| wait_period = TimeDelta::FromSeconds( |
| prng.RandMinMax(1, scatter_factor_p->InSeconds())); |
| } |
| |
| // If we surpass the wait period or the max scatter period associated with |
| // the update, then no wait is needed. |
| Time wait_expires = (update_state.first_seen + |
| min(wait_period, update_state.scatter_wait_period_max)); |
| if (ec->IsTimeGreaterThan(wait_expires)) |
| wait_period = kZeroInterval; |
| |
| // Step 2: Maintain the update check threshold count. |
| // |
| // If an update check threshold is not specified then generate a new |
| // one. |
| int check_threshold = update_state.scatter_check_threshold; |
| if (check_threshold == 0) { |
| check_threshold = prng.RandMinMax( |
| update_state.scatter_check_threshold_min, |
| update_state.scatter_check_threshold_max); |
| } |
| |
| // If the update check threshold is not within allowed range then nullify it. |
| // TODO(garnold) This is compliant with current logic found in |
| // OmahaRequestAction::IsUpdateCheckCountBasedWaitingSatisfied(). We may want |
| // to change it so that it behaves similarly to the wait period case, namely |
| // if the current value exceeds the maximum, we set a new one within range. |
| if (check_threshold > update_state.scatter_check_threshold_max) |
| check_threshold = 0; |
| |
| // If the update check threshold is non-zero and satisfied, then nullify it. |
| if (check_threshold > 0 && update_state.num_checks >= check_threshold) |
| check_threshold = 0; |
| |
| bool is_scattering = (wait_period != kZeroInterval || check_threshold); |
| EvalStatus ret = EvalStatus::kSucceeded; |
| if (is_scattering && wait_period == update_state.scatter_wait_period && |
| check_threshold == update_state.scatter_check_threshold) |
| ret = EvalStatus::kAskMeAgainLater; |
| result->is_scattering = is_scattering; |
| result->wait_period = wait_period; |
| result->check_threshold = check_threshold; |
| return ret; |
| } |
| |
| // TODO(garnold) Logic in this method is based on |
| // ConnectionManager::IsUpdateAllowedOver(); be sure to deprecate the latter. |
| // |
| // TODO(garnold) The current logic generally treats the list of allowed |
| // connections coming from the device policy as a whitelist, meaning that it |
| // can only be used for enabling connections, but not disable them. Further, |
| // certain connection types (like Bluetooth) cannot be enabled even by policy. |
| // In effect, the only thing that device policy can change is to enable |
| // updates over a cellular network (disabled by default). We may want to |
| // revisit this semantics, allowing greater flexibility in defining specific |
| // permissions over all types of networks. |
| EvalStatus ChromeOSPolicy::UpdateCurrentConnectionAllowed( |
| EvaluationContext* ec, |
| State* state, |
| string* error, |
| bool* result) const { |
| // Get the current connection type. |
| ShillProvider* const shill_provider = state->shill_provider(); |
| const ConnectionType* conn_type_p = ec->GetValue( |
| shill_provider->var_conn_type()); |
| POLICY_CHECK_VALUE_AND_FAIL(conn_type_p, error); |
| ConnectionType conn_type = *conn_type_p; |
| |
| // If we're tethering, treat it as a cellular connection. |
| if (conn_type != ConnectionType::kCellular) { |
| const ConnectionTethering* conn_tethering_p = ec->GetValue( |
| shill_provider->var_conn_tethering()); |
| POLICY_CHECK_VALUE_AND_FAIL(conn_tethering_p, error); |
| if (*conn_tethering_p == ConnectionTethering::kConfirmed) |
| conn_type = ConnectionType::kCellular; |
| } |
| |
| // By default, we allow updates for all connection types, with exceptions as |
| // noted below. This also determines whether a device policy can override the |
| // default. |
| *result = true; |
| bool device_policy_can_override = false; |
| switch (conn_type) { |
| case ConnectionType::kBluetooth: |
| *result = false; |
| break; |
| |
| case ConnectionType::kCellular: |
| *result = false; |
| device_policy_can_override = true; |
| break; |
| |
| case ConnectionType::kUnknown: |
| if (error) |
| *error = "Unknown connection type"; |
| return EvalStatus::kFailed; |
| |
| default: |
| break; // Nothing to do. |
| } |
| |
| // If update is allowed, we're done. |
| if (*result) |
| return EvalStatus::kSucceeded; |
| |
| // Check whether the device policy specifically allows this connection. |
| bool user_settings_can_override = false; |
| if (device_policy_can_override) { |
| DevicePolicyProvider* const dp_provider = state->device_policy_provider(); |
| const bool* device_policy_is_loaded_p = ec->GetValue( |
| dp_provider->var_device_policy_is_loaded()); |
| if (device_policy_is_loaded_p && *device_policy_is_loaded_p) { |
| const set<ConnectionType>* allowed_conn_types_p = ec->GetValue( |
| dp_provider->var_allowed_connection_types_for_update()); |
| if (allowed_conn_types_p) { |
| if (allowed_conn_types_p->count(conn_type)) { |
| *result = true; |
| return EvalStatus::kSucceeded; |
| } |
| } else { |
| user_settings_can_override = true; |
| } |
| } |
| } |
| |
| // Local user settings can allow updates iff a policy was loaded but no |
| // allowed connections were specified in it. In all other cases, we either |
| // stick with the default or use the values determined by the policy. |
| if (user_settings_can_override) { |
| const bool* update_over_cellular_allowed_p = ec->GetValue( |
| state->updater_provider()->var_cellular_enabled()); |
| if (update_over_cellular_allowed_p && *update_over_cellular_allowed_p) |
| *result = true; |
| } |
| |
| return EvalStatus::kSucceeded; |
| } |
| |
| } // namespace chromeos_update_manager |