Add applySdkSandboxNextRestrictions flag am: e1c842285b am: 630c8c01c5 am: d5783f3391 am: 263eed616d

Original change: https://android-review.googlesource.com/c/platform/external/selinux/+/2584678

Change-Id: I7f1d5f8feb6494f0b7b1d2c04d97d00eed98f080
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

libselinux/src/android/android_seapp.c

@@ -135,6 +135,7 @@ struct seapp_context {
 	int32_t minTargetSdkVersion;
 	bool fromRunAs;
 	bool isIsolatedComputeApp;
+	bool isSdkSandboxNext;
 	/* outputs */
 	char *domain;
 	char *type;
@@ -241,7 +242,8 @@ static int seapp_context_cmp(const void *A, const void *B)
 		(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
 		(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
 		(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
-		(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
+		(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) &&
+		(s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext);
 
 	if (dup) {
 		seapp_contexts_dup = true;
@@ -526,7 +528,16 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 						free_seapp_context(cur);
 						goto err;
 					}
-				} else {
+				} else if (!strcasecmp(name, "isSdkSandboxNext")) {
+					if (!strcasecmp(value, "true"))
+						cur->isSdkSandboxNext = true;
+					else if (!strcasecmp(value, "false"))
+						cur->isSdkSandboxNext = false;
+					else {
+						free_seapp_context(cur);
+              goto err;
+            }
+        } else {
 					free_seapp_context(cur);
 					goto err;
 				}
@@ -563,7 +574,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 		int i;
 		for (i = 0; i < nspec; i++) {
 			cur = seapp_contexts[i];
-			selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
+			selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s "
 					"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
 				__FUNCTION__,
 				cur->isSystemServer ? "true" : "false",
@@ -574,6 +585,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 				cur->minTargetSdkVersion,
 				cur->fromRunAs ? "true" : "false",
 				cur->isIsolatedComputeApp ? "true" : "false",
+				cur->isSdkSandboxNext ? "true" : "false",
 				cur->domain, cur->type, cur->level,
 				levelFromName[cur->levelFrom]);
 		}
@@ -628,6 +640,7 @@ void selinux_android_seapp_context_init(void) {
 
 #define PRIVILEGED_APP_STR ":privapp"
 #define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
+#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext"
 #define EPHEMERAL_APP_STR ":ephemeralapp"
 #define TARGETSDKVERSION_STR ":targetSdkVersion="
 #define FROM_RUNAS_STR ":fromRunAs"
@@ -726,6 +739,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 	bool isPrivApp = false;
 	bool isEphemeralApp = false;
 	bool isIsolatedComputeApp = false;
+	bool isSdkSandboxNext = false;
 	int32_t targetSdkVersion = 0;
 	bool fromRunAs = false;
 	char parsedseinfo[BUFSIZ];
@@ -736,6 +750,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 		isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
 		isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
 		isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
+		isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false;
 		fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
 		targetSdkVersion = get_app_targetSdkVersion(seinfo);
 		if (targetSdkVersion < 0) {
@@ -817,6 +832,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 		if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
 			continue;
 
+		if (cur->isSdkSandboxNext != isSdkSandboxNext)
+			continue;
+
 		if (kind == SEAPP_TYPE && !cur->type)
 			continue;
 		else if (kind == SEAPP_DOMAIN && !cur->domain)