Add applySdkSandboxNextRestrictions flag am: 8c40c00f3d
Original change: https://googleplex-android-review.googlesource.com/c/platform/external/selinux/+/23149989 Change-Id: I7f3e8d9168d80e3384ee4e9c4c6617ce4a1784fe Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
38bf716c63
1 changed files with 21 additions and 3 deletions
|
@ -135,6 +135,7 @@ struct seapp_context {
|
||||||
int32_t minTargetSdkVersion;
|
int32_t minTargetSdkVersion;
|
||||||
bool fromRunAs;
|
bool fromRunAs;
|
||||||
bool isIsolatedComputeApp;
|
bool isIsolatedComputeApp;
|
||||||
|
bool isSdkSandboxNext;
|
||||||
/* outputs */
|
/* outputs */
|
||||||
char *domain;
|
char *domain;
|
||||||
char *type;
|
char *type;
|
||||||
|
@ -241,7 +242,8 @@ static int seapp_context_cmp(const void *A, const void *B)
|
||||||
(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
|
(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
|
||||||
(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
|
(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
|
||||||
(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
|
(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
|
||||||
(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
|
(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) &&
|
||||||
|
(s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext);
|
||||||
|
|
||||||
if (dup) {
|
if (dup) {
|
||||||
seapp_contexts_dup = true;
|
seapp_contexts_dup = true;
|
||||||
|
@ -526,7 +528,16 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
|
||||||
free_seapp_context(cur);
|
free_seapp_context(cur);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
} else {
|
} else if (!strcasecmp(name, "isSdkSandboxNext")) {
|
||||||
|
if (!strcasecmp(value, "true"))
|
||||||
|
cur->isSdkSandboxNext = true;
|
||||||
|
else if (!strcasecmp(value, "false"))
|
||||||
|
cur->isSdkSandboxNext = false;
|
||||||
|
else {
|
||||||
|
free_seapp_context(cur);
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
free_seapp_context(cur);
|
free_seapp_context(cur);
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
@ -563,7 +574,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < nspec; i++) {
|
for (i = 0; i < nspec; i++) {
|
||||||
cur = seapp_contexts[i];
|
cur = seapp_contexts[i];
|
||||||
selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
|
selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s "
|
||||||
"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
|
"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
|
||||||
__FUNCTION__,
|
__FUNCTION__,
|
||||||
cur->isSystemServer ? "true" : "false",
|
cur->isSystemServer ? "true" : "false",
|
||||||
|
@ -574,6 +585,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
|
||||||
cur->minTargetSdkVersion,
|
cur->minTargetSdkVersion,
|
||||||
cur->fromRunAs ? "true" : "false",
|
cur->fromRunAs ? "true" : "false",
|
||||||
cur->isIsolatedComputeApp ? "true" : "false",
|
cur->isIsolatedComputeApp ? "true" : "false",
|
||||||
|
cur->isSdkSandboxNext ? "true" : "false",
|
||||||
cur->domain, cur->type, cur->level,
|
cur->domain, cur->type, cur->level,
|
||||||
levelFromName[cur->levelFrom]);
|
levelFromName[cur->levelFrom]);
|
||||||
}
|
}
|
||||||
|
@ -628,6 +640,7 @@ void selinux_android_seapp_context_init(void) {
|
||||||
|
|
||||||
#define PRIVILEGED_APP_STR ":privapp"
|
#define PRIVILEGED_APP_STR ":privapp"
|
||||||
#define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
|
#define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
|
||||||
|
#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext"
|
||||||
#define EPHEMERAL_APP_STR ":ephemeralapp"
|
#define EPHEMERAL_APP_STR ":ephemeralapp"
|
||||||
#define TARGETSDKVERSION_STR ":targetSdkVersion="
|
#define TARGETSDKVERSION_STR ":targetSdkVersion="
|
||||||
#define FROM_RUNAS_STR ":fromRunAs"
|
#define FROM_RUNAS_STR ":fromRunAs"
|
||||||
|
@ -726,6 +739,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
|
||||||
bool isPrivApp = false;
|
bool isPrivApp = false;
|
||||||
bool isEphemeralApp = false;
|
bool isEphemeralApp = false;
|
||||||
bool isIsolatedComputeApp = false;
|
bool isIsolatedComputeApp = false;
|
||||||
|
bool isSdkSandboxNext = false;
|
||||||
int32_t targetSdkVersion = 0;
|
int32_t targetSdkVersion = 0;
|
||||||
bool fromRunAs = false;
|
bool fromRunAs = false;
|
||||||
char parsedseinfo[BUFSIZ];
|
char parsedseinfo[BUFSIZ];
|
||||||
|
@ -736,6 +750,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
|
||||||
isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
|
isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
|
||||||
isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
|
isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
|
||||||
isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
|
isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
|
||||||
|
isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false;
|
||||||
fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
|
fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
|
||||||
targetSdkVersion = get_app_targetSdkVersion(seinfo);
|
targetSdkVersion = get_app_targetSdkVersion(seinfo);
|
||||||
if (targetSdkVersion < 0) {
|
if (targetSdkVersion < 0) {
|
||||||
|
@ -817,6 +832,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
|
||||||
if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
|
if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
if (cur->isSdkSandboxNext != isSdkSandboxNext)
|
||||||
|
continue;
|
||||||
|
|
||||||
if (kind == SEAPP_TYPE && !cur->type)
|
if (kind == SEAPP_TYPE && !cur->type)
|
||||||
continue;
|
continue;
|
||||||
else if (kind == SEAPP_DOMAIN && !cur->domain)
|
else if (kind == SEAPP_DOMAIN && !cur->domain)
|
||||||
|
|
Loading…
Reference in a new issue