From 48c968d18487b72ba8bfc14c43b796516e92145b Mon Sep 17 00:00:00 2001
From: Charles Chen <liangyuchen@google.com>
Date: Sun, 15 Jan 2023 05:57:32 +0000
Subject: [PATCH] Integrate isIsolatedComputeApp selection logics for
 secontexts

Enables processes with :IsolatedComputeApp set to be selected by seapp contexts with isIsolatedComputeApp selector.

Bug: 265540209
Bug: 265746493
Test: m && atest --host libselinux_test with change on android_unittest.cpp
Change-Id: I44f33bdd17454586708cbff2631ecd6725e53087
---
 libselinux/src/android/android_seapp.c | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c
index 2b07001e..dc3e9da5 100644
--- a/libselinux/src/android/android_seapp.c
+++ b/libselinux/src/android/android_seapp.c
@@ -134,6 +134,7 @@ struct seapp_context {
 	bool isPrivApp;
 	int32_t minTargetSdkVersion;
 	bool fromRunAs;
+	bool isIsolatedComputeApp;
 	/* outputs */
 	char *domain;
 	char *type;
@@ -239,7 +240,8 @@ static int seapp_context_cmp(const void *A, const void *B)
 		(!s1->name.str || !strcmp(s1->name.str, s2->name.str)) &&
 		(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
 		(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
-		(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp);
+		(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
+		(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
 
 	if (dup) {
 		seapp_contexts_dup = true;
@@ -515,6 +517,15 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 						free_seapp_context(cur);
 						goto err;
 					}
+				} else if (!strcasecmp(name, "isIsolatedComputeApp")) {
+					if (!strcasecmp(value, "true"))
+						cur->isIsolatedComputeApp = true;
+					else if (!strcasecmp(value, "false"))
+						cur->isIsolatedComputeApp = false;
+					else {
+						free_seapp_context(cur);
+						goto err;
+					}
 				} else {
 					free_seapp_context(cur);
 					goto err;
@@ -552,7 +563,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 		int i;
 		for (i = 0; i < nspec; i++) {
 			cur = seapp_contexts[i];
-			selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s  isEphemeralApp=%s user=%s seinfo=%s "
+			selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
 					"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
 				__FUNCTION__,
 				cur->isSystemServer ? "true" : "false",
@@ -562,6 +573,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 				cur->isPrivAppSet ? (cur->isPrivApp ? "true" : "false") : "null",
 				cur->minTargetSdkVersion,
 				cur->fromRunAs ? "true" : "false",
+				cur->isIsolatedComputeApp ? "true" : "false",
 				cur->domain, cur->type, cur->level,
 				levelFromName[cur->levelFrom]);
 		}
@@ -615,6 +627,7 @@ void selinux_android_seapp_context_init(void) {
 #define CAT_MAPPING_MAX_ID (0x1<<16)
 
 #define PRIVILEGED_APP_STR ":privapp"
+#define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
 #define EPHEMERAL_APP_STR ":ephemeralapp"
 #define TARGETSDKVERSION_STR ":targetSdkVersion="
 #define FROM_RUNAS_STR ":fromRunAs"
@@ -712,16 +725,17 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 	uid_t appid;
 	bool isPrivApp = false;
 	bool isEphemeralApp = false;
+	bool isIsolatedComputeApp = false;
 	int32_t targetSdkVersion = 0;
 	bool fromRunAs = false;
 	char parsedseinfo[BUFSIZ];
 
-
 	if (seinfo) {
 		if (seinfo_parse(parsedseinfo, seinfo, BUFSIZ))
 			goto err;
 		isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
 		isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
+		isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
 		fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
 		targetSdkVersion = get_app_targetSdkVersion(seinfo);
 		if (targetSdkVersion < 0) {
@@ -800,6 +814,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 		if (cur->fromRunAs != fromRunAs)
 			continue;
 
+		if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
+			continue;
+
 		if (kind == SEAPP_TYPE && !cur->type)
 			continue;
 		else if (kind == SEAPP_DOMAIN && !cur->domain)