Add applySdkSandboxNextRestrictions flag
seapp_context_lookup_internal applies a flag that is referenced in
seapp_contexts based on the seInfo string passed to it.
This enables testers to test out the set of restriction planned the
next SDK version and give feedback before we decide on the actual
restrictions for the next release.
Bug: b/270148964
Test: manual test app and adb shell ps -Z
Change-Id: I175229d135d99516dd6f38b8963d0ccc93a61a4f
Merged-In: I175229d135d99516dd6f38b8963d0ccc93a61a4f
diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c
index dc3e9da..391165d 100644
--- a/libselinux/src/android/android_seapp.c
+++ b/libselinux/src/android/android_seapp.c
@@ -135,6 +135,7 @@
int32_t minTargetSdkVersion;
bool fromRunAs;
bool isIsolatedComputeApp;
+ bool isSdkSandboxNext;
/* outputs */
char *domain;
char *type;
@@ -241,7 +242,8 @@
(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
- (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
+ (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) &&
+ (s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext);
if (dup) {
seapp_contexts_dup = true;
@@ -526,7 +528,16 @@
free_seapp_context(cur);
goto err;
}
- } else {
+ } else if (!strcasecmp(name, "isSdkSandboxNext")) {
+ if (!strcasecmp(value, "true"))
+ cur->isSdkSandboxNext = true;
+ else if (!strcasecmp(value, "false"))
+ cur->isSdkSandboxNext = false;
+ else {
+ free_seapp_context(cur);
+ goto err;
+ }
+ } else {
free_seapp_context(cur);
goto err;
}
@@ -563,7 +574,7 @@
int i;
for (i = 0; i < nspec; i++) {
cur = seapp_contexts[i];
- selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
+ selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s "
"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
__FUNCTION__,
cur->isSystemServer ? "true" : "false",
@@ -574,6 +585,7 @@
cur->minTargetSdkVersion,
cur->fromRunAs ? "true" : "false",
cur->isIsolatedComputeApp ? "true" : "false",
+ cur->isSdkSandboxNext ? "true" : "false",
cur->domain, cur->type, cur->level,
levelFromName[cur->levelFrom]);
}
@@ -628,6 +640,7 @@
#define PRIVILEGED_APP_STR ":privapp"
#define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
+#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext"
#define EPHEMERAL_APP_STR ":ephemeralapp"
#define TARGETSDKVERSION_STR ":targetSdkVersion="
#define FROM_RUNAS_STR ":fromRunAs"
@@ -726,6 +739,7 @@
bool isPrivApp = false;
bool isEphemeralApp = false;
bool isIsolatedComputeApp = false;
+ bool isSdkSandboxNext = false;
int32_t targetSdkVersion = 0;
bool fromRunAs = false;
char parsedseinfo[BUFSIZ];
@@ -736,6 +750,7 @@
isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
+ isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false;
fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
targetSdkVersion = get_app_targetSdkVersion(seinfo);
if (targetSdkVersion < 0) {
@@ -817,6 +832,9 @@
if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
continue;
+ if (cur->isSdkSandboxNext != isSdkSandboxNext)
+ continue;
+
if (kind == SEAPP_TYPE && !cur->type)
continue;
else if (kind == SEAPP_DOMAIN && !cur->domain)
