topjohnwu/selinux
1
0
Fork 0
mirror of https://github.com/topjohnwu/selinux.git synced 2024-11-27 05:20:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add applySdkSandboxNextRestrictions flag

Browse Source 
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.

This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.

Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
Merged-In: I175229d135d99516dd6f38b8963d0ccc93a61a4f
This commit is contained in:
Mugdha Lakhani 2023-05-11 14:20:07 +00:00
parent 0db1ceb25e
commit 8c40c00f3d
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
libselinux/src/android/android_seapp.c
View File

@ -135,6 +135,7 @@ struct seapp_context {
int32_t minTargetSdkVersion;
bool fromRunAs;
bool isIsolatedComputeApp;
bool isSdkSandboxNext;
/* outputs */
char *domain;
char *type;
@ -241,7 +242,8 @@ static int seapp_context_cmp(const void *A, const void *B)
(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) &&
(s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext);
if (dup) {
seapp_contexts_dup = true;
@ -526,7 +528,16 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
free_seapp_context(cur);
goto err;
}
} else {
} else if (!strcasecmp(name, "isSdkSandboxNext")) {
if (!strcasecmp(value, "true"))
cur->isSdkSandboxNext = true;
else if (!strcasecmp(value, "false"))
cur->isSdkSandboxNext = false;
else {
free_seapp_context(cur);
goto err;
}
} else {
free_seapp_context(cur);
goto err;
}
@ -563,7 +574,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
int i;
for (i = 0; i < nspec; i++) {
cur = seapp_contexts[i];
selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s "
"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
__FUNCTION__,
cur->isSystemServer ? "true" : "false",
@ -574,6 +585,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
cur->minTargetSdkVersion,
cur->fromRunAs ? "true" : "false",
cur->isIsolatedComputeApp ? "true" : "false",
cur->isSdkSandboxNext ? "true" : "false",
cur->domain, cur->type, cur->level,
levelFromName[cur->levelFrom]);
}
@ -628,6 +640,7 @@ void selinux_android_seapp_context_init(void) {
#define PRIVILEGED_APP_STR ":privapp"
#define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext"
#define EPHEMERAL_APP_STR ":ephemeralapp"
#define TARGETSDKVERSION_STR ":targetSdkVersion="
#define FROM_RUNAS_STR ":fromRunAs"
@ -726,6 +739,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
bool isPrivApp = false;
bool isEphemeralApp = false;
bool isIsolatedComputeApp = false;
bool isSdkSandboxNext = false;
int32_t targetSdkVersion = 0;
bool fromRunAs = false;
char parsedseinfo[BUFSIZ];
@ -736,6 +750,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false;
fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
targetSdkVersion = get_app_targetSdkVersion(seinfo);
if (targetSdkVersion < 0) {
@ -817,6 +832,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
continue;
if (cur->isSdkSandboxNext != isSdkSandboxNext)
continue;
if (kind == SEAPP_TYPE && !cur->type)
continue;
else if (kind == SEAPP_DOMAIN && !cur->domain)