From 8c40c00f3d7b2a2881a38c073bce4dba0e87dba0 Mon Sep 17 00:00:00 2001 From: Mugdha Lakhani Date: Thu, 11 May 2023 14:20:07 +0000 Subject: [PATCH] Add applySdkSandboxNextRestrictions flag seapp_context_lookup_internal applies a flag that is referenced in seapp_contexts based on the seInfo string passed to it. This enables testers to test out the set of restriction planned the next SDK version and give feedback before we decide on the actual restrictions for the next release. Bug: b/270148964 Test: manual test app and adb shell ps -Z Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f Merged-In: I175229d135d99516dd6f38b8963d0ccc93a61a4f --- libselinux/src/android/android_seapp.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c index dc3e9da5..391165d2 100644 --- a/libselinux/src/android/android_seapp.c +++ b/libselinux/src/android/android_seapp.c @@ -135,6 +135,7 @@ struct seapp_context { int32_t minTargetSdkVersion; bool fromRunAs; bool isIsolatedComputeApp; + bool isSdkSandboxNext; /* outputs */ char *domain; char *type; @@ -241,7 +242,8 @@ static int seapp_context_cmp(const void *A, const void *B) (s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) && (s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) && (s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) && - (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp); + (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) && + (s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext); if (dup) { seapp_contexts_dup = true; @@ -526,7 +528,16 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) free_seapp_context(cur); goto err; } - } else { + } else if (!strcasecmp(name, "isSdkSandboxNext")) { + if (!strcasecmp(value, "true")) + cur->isSdkSandboxNext = true; + else if (!strcasecmp(value, "false")) + cur->isSdkSandboxNext = false; + else { + free_seapp_context(cur); + goto err; + } + } else { free_seapp_context(cur); goto err; } @@ -563,7 +574,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) int i; for (i = 0; i < nspec; i++) { cur = seapp_contexts[i]; - selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s " + selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s " "name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s", __FUNCTION__, cur->isSystemServer ? "true" : "false", @@ -574,6 +585,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths) cur->minTargetSdkVersion, cur->fromRunAs ? "true" : "false", cur->isIsolatedComputeApp ? "true" : "false", + cur->isSdkSandboxNext ? "true" : "false", cur->domain, cur->type, cur->level, levelFromName[cur->levelFrom]); } @@ -628,6 +640,7 @@ void selinux_android_seapp_context_init(void) { #define PRIVILEGED_APP_STR ":privapp" #define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp" +#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext" #define EPHEMERAL_APP_STR ":ephemeralapp" #define TARGETSDKVERSION_STR ":targetSdkVersion=" #define FROM_RUNAS_STR ":fromRunAs" @@ -726,6 +739,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind, bool isPrivApp = false; bool isEphemeralApp = false; bool isIsolatedComputeApp = false; + bool isSdkSandboxNext = false; int32_t targetSdkVersion = 0; bool fromRunAs = false; char parsedseinfo[BUFSIZ]; @@ -736,6 +750,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind, isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false; isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false; isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false; + isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false; fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false; targetSdkVersion = get_app_targetSdkVersion(seinfo); if (targetSdkVersion < 0) { @@ -817,6 +832,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind, if (cur->isIsolatedComputeApp != isIsolatedComputeApp) continue; + if (cur->isSdkSandboxNext != isSdkSandboxNext) + continue; + if (kind == SEAPP_TYPE && !cur->type) continue; else if (kind == SEAPP_DOMAIN && !cur->domain)