diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c index dc3e9da5..391165d2 100644 --- a/libselinux/src/android/android_seapp.c +++ b/libselinux/src/android/android_seapp.c @@ -135,6 +135,7 @@ struct seapp_context { int32_t minTargetSdkVersion; bool fromRunAs; bool isIsolatedComputeApp; + bool isSdkSandboxNext; /* outputs */ char *domain; char *type; @@ -241,7 +242,8 @@ static int seapp_context_cmp(const void *A, const void *B) (s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) && (s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) && (s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) && - (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp); + (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) && + (s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext); if (dup) { seapp_contexts_dup = true; @@ -526,7 +528,16 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) free_seapp_context(cur); goto err; } - } else { + } else if (!strcasecmp(name, "isSdkSandboxNext")) { + if (!strcasecmp(value, "true")) + cur->isSdkSandboxNext = true; + else if (!strcasecmp(value, "false")) + cur->isSdkSandboxNext = false; + else { + free_seapp_context(cur); + goto err; + } + } else { free_seapp_context(cur); goto err; } @@ -563,7 +574,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) int i; for (i = 0; i < nspec; i++) { cur = seapp_contexts[i]; - selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s " + selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s " "name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s", __FUNCTION__, cur->isSystemServer ? "true" : "false", @@ -574,6 +585,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) cur->minTargetSdkVersion, cur->fromRunAs ? "true" : "false", cur->isIsolatedComputeApp ? "true" : "false", + cur->isSdkSandboxNext ? "true" : "false", cur->domain, cur->type, cur->level, levelFromName[cur->levelFrom]); } @@ -628,6 +640,7 @@ void selinux_android_seapp_context_init(void) { #define PRIVILEGED_APP_STR ":privapp" #define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp" +#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext" #define EPHEMERAL_APP_STR ":ephemeralapp" #define TARGETSDKVERSION_STR ":targetSdkVersion=" #define FROM_RUNAS_STR ":fromRunAs" @@ -726,6 +739,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind, bool isPrivApp = false; bool isEphemeralApp = false; bool isIsolatedComputeApp = false; + bool isSdkSandboxNext = false; int32_t targetSdkVersion = 0; bool fromRunAs = false; char parsedseinfo[BUFSIZ]; @@ -736,6 +750,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind, isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false; isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false; isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false; + isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false; fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false; targetSdkVersion = get_app_targetSdkVersion(seinfo); if (targetSdkVersion < 0) { @@ -817,6 +832,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind, if (cur->isIsolatedComputeApp != isIsolatedComputeApp) continue; + if (cur->isSdkSandboxNext != isSdkSandboxNext) + continue; + if (kind == SEAPP_TYPE && !cur->type) continue; else if (kind == SEAPP_DOMAIN && !cur->domain)