Add applySdkSandboxNextRestrictions flagandroid14-dev

seapp_context_lookup_internal applies a flag that is referenced in seapp_contexts based on the seInfo string passed to it. This enables testers to test out the set of restriction planned the next SDK version and give feedback before we decide on the actual restrictions for the next release. Bug: b/270148964 Test: manual test app and adb shell ps -Z Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f Merged-In: I175229d135d99516dd6f38b8963d0ccc93a61a4f
author: Mugdha Lakhani <nator@google.com> 2023-05-11 14:20:07 +0000
committer: Mugdha Lakhani <nator@google.com> 2023-05-11 18:07:06 +0000
commit: 8c40c00f3d7b2a2881a38c073bce4dba0e87dba0 (patch)
tree: b900913a09b6c9832c62daf414b87b747e06620d
parent: 0db1ceb25e2795a469de4d73881a572520e1947f (diff)
download: selinux-8c40c00f3d7b2a2881a38c073bce4dba0e87dba0.tar.gz
1 files changed, 21 insertions, 3 deletions
diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c
index dc3e9da5..391165d2 100644
--- a/libselinux/src/android/android_seapp.c
+++ b/libselinux/src/android/android_seapp.c
@@ -135,6 +135,7 @@ struct seapp_context {
 	int32_t minTargetSdkVersion;
 	bool fromRunAs;
 	bool isIsolatedComputeApp;
+	bool isSdkSandboxNext;
 	/* outputs */
 	char *domain;
 	char *type;
@@ -241,7 +242,8 @@ static int seapp_context_cmp(const void *A, const void *B)
 		(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
 		(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
 		(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
-		(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
+		(s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) &&
+		(s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext);
 
 	if (dup) {
 		seapp_contexts_dup = true;
@@ -526,7 +528,16 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 						free_seapp_context(cur);
 						goto err;
 					}
-				} else {
+				} else if (!strcasecmp(name, "isSdkSandboxNext")) {
+					if (!strcasecmp(value, "true"))
+						cur->isSdkSandboxNext = true;
+					else if (!strcasecmp(value, "false"))
+						cur->isSdkSandboxNext = false;
+					else {
+						free_seapp_context(cur);
+              goto err;
+            }
+        } else {
 					free_seapp_context(cur);
 					goto err;
 				}
@@ -563,7 +574,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 		int i;
 		for (i = 0; i < nspec; i++) {
 			cur = seapp_contexts[i];
-			selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
+			selinux_log(SELINUX_INFO, "%s:  isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s "
 					"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
 				__FUNCTION__,
 				cur->isSystemServer ? "true" : "false",
@@ -574,6 +585,7 @@ int seapp_context_reload_internal(const path_alts_t *context_paths)
 				cur->minTargetSdkVersion,
 				cur->fromRunAs ? "true" : "false",
 				cur->isIsolatedComputeApp ? "true" : "false",
+				cur->isSdkSandboxNext ? "true" : "false",
 				cur->domain, cur->type, cur->level,
 				levelFromName[cur->levelFrom]);
 		}
@@ -628,6 +640,7 @@ void selinux_android_seapp_context_init(void) {
 
 #define PRIVILEGED_APP_STR ":privapp"
 #define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
+#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext"
 #define EPHEMERAL_APP_STR ":ephemeralapp"
 #define TARGETSDKVERSION_STR ":targetSdkVersion="
 #define FROM_RUNAS_STR ":fromRunAs"
@@ -726,6 +739,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 	bool isPrivApp = false;
 	bool isEphemeralApp = false;
 	bool isIsolatedComputeApp = false;
+	bool isSdkSandboxNext = false;
 	int32_t targetSdkVersion = 0;
 	bool fromRunAs = false;
 	char parsedseinfo[BUFSIZ];
@@ -736,6 +750,7 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 		isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
 		isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
 		isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
+		isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false;
 		fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
 		targetSdkVersion = get_app_targetSdkVersion(seinfo);
 		if (targetSdkVersion < 0) {
@@ -817,6 +832,9 @@ int seapp_context_lookup_internal(enum seapp_kind kind,
 		if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
 			continue;
 
+		if (cur->isSdkSandboxNext != isSdkSandboxNext)
+			continue;
+
 		if (kind == SEAPP_TYPE && !cur->type)
 			continue;
 		else if (kind == SEAPP_DOMAIN && !cur->domain)
author	Mugdha Lakhani <nator@google.com>	2023-05-11 14:20:07 +0000
committer	Mugdha Lakhani <nator@google.com>	2023-05-11 18:07:06 +0000
commit	8c40c00f3d7b2a2881a38c073bce4dba0e87dba0 (patch)
tree	b900913a09b6c9832c62daf414b87b747e06620d
parent	0db1ceb25e2795a469de4d73881a572520e1947f (diff)
download	selinux-8c40c00f3d7b2a2881a38c073bce4dba0e87dba0.tar.gz