From 307049222a841a16d2a3ec7cbaf656380922c41a Mon Sep 17 00:00:00 2001 From: Charles Chen Date: Sun, 15 Jan 2023 05:41:42 +0000 Subject: [PATCH] Update seapp_contexts with isIsolatedComputeApp selector Provide isIsolatedComputeApp selector for apps reusing _isolated user to run in domains other than isolated_app. Processes match the selector will have a default domain isolated_compute_app assigned. Also updated _isolated neverallow statements. Bug: 265540209 Bug: 265746493 Test: m && atest --host libselinux_test with change on android_unittest.cpp Change-Id: Ia05954aa6a9a9a07d6a8d1e3235a89e7b37dead9 --- private/seapp_contexts | 12 +++++++++++- tools/check_seapp.c | 1 + 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/private/seapp_contexts b/private/seapp_contexts index d3f065bff..7fdd96297 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -11,6 +11,7 @@ # isPrivApp (boolean) # minTargetSdkVersion (unsigned integer) # fromRunAs (boolean) +# isIsolatedComputeApp (boolean) # # All specified input selectors in an entry must match (i.e. logical AND). # An unspecified string or boolean selector with no default will match any @@ -40,6 +41,11 @@ # it has a default value of 0. # fromRunAs=true means the process being labeled is started by run-as. Default # is false. +# isIsolatedComputeApp=true means the process re-uses an isolated Uid but not +# restricted to run in an isolated_app domain. Processes match this selector will +# be mapped to isolated_compute_app by default. It is expected to be used together +# with user=_isolated. This selector should not be used unless it is intended +# to provide isolated processes with relaxed security restrictions. # # Precedence: entries are compared using the following rules, in the order shown # (see external/selinux/libselinux/src/android/android_platform.c, @@ -57,6 +63,7 @@ # minTargetSdkVersion= integer. Note that minTargetSdkVersion= # defaults to 0 if unspecified. # (8) fromRunAs=true before fromRunAs=false. +# (9) isIsolatedComputeApp=true before isIsolatedComputeApp=false # (A fixed selector is more specific than a prefix, i.e. ending in *, and a # longer prefix is more specific than a shorter prefix.) # Apps are checked against entries in precedence order until the first match, @@ -122,9 +129,12 @@ neverallow user=((?!shared_relro).)* domain=shared_relro # neverallow non-isolated uids into isolated_app domain # and vice versa -neverallow user=_isolated domain=((?!isolated_app).)* +neverallow user=_isolated isIsolatedComputeApp=false domain=((?!isolated_app).)* neverallow user=((?!_isolated).)* domain=isolated_app +# neverallow isolatedComputeApp into domains other than isolated_compute_app +neverallow user=_isolated isIsolatedComputeApp=true domain=((?!isolated_compute_app).)* + # uid shell should always be in shell domain, however non-shell # uid's can be in shell domain neverallow user=shell domain=((?!shell).)* diff --git a/tools/check_seapp.c b/tools/check_seapp.c index 7795e3a90..e57a6b3fe 100644 --- a/tools/check_seapp.c +++ b/tools/check_seapp.c @@ -213,6 +213,7 @@ key_map rules[] = { { .name = "isPrivApp", .dir = dir_in, .fn_validate = validate_bool }, { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint }, { .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool }, + { .name = "isIsolatedComputeApp", .dir = dir_in, .fn_validate = validate_bool }, /*Outputs*/ { .name = "domain", .dir = dir_out, .fn_validate = validate_domain }, { .name = "type", .dir = dir_out, .fn_validate = validate_type },