public String[] resourceDirs;
/**
- * String retrieved from the seinfo tag found in selinux policy. This value can be set through
- * the mac_permissions.xml policy construct. This value is used for setting an SELinux security
- * context on the process as well as its data directory.
+ * String retrieved from the seinfo tag found in selinux policy. This value
+ * can be overridden with a value set through the mac_permissions.xml policy
+ * construct. This value is useful in setting an SELinux security context on
+ * the process as well as its data directory. The String default is being used
+ * here to represent a catchall label when no policy matches.
*
* {@hide}
*/
- public String seInfo;
+ public String seInfo = "default";
/**
* The seinfo tag generated per-user. This value may change based upon the
}
}
}
- // Adjust seInfo to ensure apps which share a sharedUserId are placed in the same
- // SELinux domain.
- setting.fixSeInfoLocked();
}
// Now that we know all the packages we are keeping,
pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP;
}
- // Apps which share a sharedUserId must be placed in the same selinux domain. If this
- // package is the first app installed as this shared user, set seInfoTargetSdkVersion to its
- // targetSdkVersion. These are later adjusted in PackageManagerService's constructor to be
- // the lowest targetSdkVersion of all apps within the shared user, which corresponds to the
- // least restrictive selinux domain.
- // NOTE: As new packages are installed / updated, the shared user's seinfoTargetSdkVersion
- // will NOT be modified until next boot, even if a lower targetSdkVersion is used. This
- // ensures that all packages continue to run in the same selinux domain.
- final int targetSdkVersion =
- ((sharedUserSetting != null) && (sharedUserSetting.packages.size() != 0)) ?
- sharedUserSetting.seInfoTargetSdkVersion : pkg.applicationInfo.targetSdkVersion;
+ // SELinux sandboxes become more restrictive as targetSdkVersion increases.
+ // To ensure that apps with sharedUserId are placed in the same selinux domain
+ // without breaking any assumptions about access, put them into the least
+ // restrictive targetSdkVersion=25 domain.
+ // TODO(b/72290969): Base this on the actual targetSdkVersion(s) of the apps within the
+ // sharedUserSetting, instead of defaulting to the least restrictive domain.
+ final int targetSdk = (sharedUserSetting != null) ? 25
+ : pkg.applicationInfo.targetSdkVersion;
// TODO(b/71593002): isPrivileged for sharedUser and appInfo should never be out of sync.
// They currently can be if the sharedUser apps are signed with the platform key.
final boolean isPrivileged = (sharedUserSetting != null) ?
sharedUserSetting.isPrivileged() | pkg.isPrivileged() : pkg.isPrivileged();
- pkg.applicationInfo.seInfo = SELinuxMMAC.getSeInfo(pkg, isPrivileged,
- pkg.applicationInfo.targetSandboxVersion, targetSdkVersion);
+ SELinuxMMAC.assignSeInfoValue(pkg, isPrivileged, targetSdk);
pkg.mExtras = pkgSetting;
pkg.applicationInfo.processName = fixProcessName(
/** Required MAC permissions files */
private static List<File> sMacPermissions = new ArrayList<>();
- private static final String DEFAULT_SEINFO = "default";
-
// Append privapp to existing seinfo label
private static final String PRIVILEGED_APP_STR = ":privapp";
}
/**
- * Selects a security label to a package based on input parameters and the seinfo tag taken
- * from a matched policy. All signature based policy stanzas are consulted and, if no match
- * is found, the default seinfo label of 'default' is used. The security label is attached to
- * the ApplicationInfo instance of the package.
+ * Applies a security label to a package based on an seinfo tag taken from a matched
+ * policy. All signature based policy stanzas are consulted and, if no match is
+ * found, the default seinfo label of 'default' (set in ApplicationInfo object) is
+ * used. The security label is attached to the ApplicationInfo instance of the package
+ * in the event that a matching policy was found.
*
* @param pkg object representing the package to be labeled.
- * @param isPrivileged boolean.
- * @param targetSandboxVersion int.
- * @param targetSdkVersion int. If this pkg runs as a sharedUser, targetSdkVersion is the
- * greater of: lowest targetSdk for all pkgs in the sharedUser, or
- * MINIMUM_TARGETSDKVERSION.
- * @return String representing the resulting seinfo.
*/
- public static String getSeInfo(PackageParser.Package pkg, boolean isPrivileged,
- int targetSandboxVersion, int targetSdkVersion) {
- String seInfo = null;
+ public static void assignSeInfoValue(PackageParser.Package pkg, boolean isPrivileged,
+ int targetSdkVersion) {
synchronized (sPolicies) {
if (!sPolicyRead) {
if (DEBUG_POLICY) {
Slog.d(TAG, "Policy not read");
}
- } else {
- for (Policy policy : sPolicies) {
- seInfo = policy.getMatchedSeInfo(pkg);
- if (seInfo != null) {
- break;
- }
+ return;
+ }
+ for (Policy policy : sPolicies) {
+ String seInfo = policy.getMatchedSeInfo(pkg);
+ if (seInfo != null) {
+ pkg.applicationInfo.seInfo = seInfo;
+ break;
}
}
}
- if (seInfo == null) {
- seInfo = DEFAULT_SEINFO;
- }
-
- if (targetSandboxVersion == 2) {
- seInfo += SANDBOX_V2_STR;
- }
+ if (pkg.applicationInfo.targetSandboxVersion == 2)
+ pkg.applicationInfo.seInfo += SANDBOX_V2_STR;
if (isPrivileged) {
- seInfo += PRIVILEGED_APP_STR;
+ pkg.applicationInfo.seInfo += PRIVILEGED_APP_STR;
}
- seInfo += TARGETSDKVERSION_STR + targetSdkVersion;
+ pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + targetSdkVersion;
if (DEBUG_POLICY_INSTALL) {
Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " +
- "seinfo=" + seInfo);
+ "seinfo=" + pkg.applicationInfo.seInfo);
}
- return seInfo;
}
}
int uidFlags;
int uidPrivateFlags;
- // The lowest targetSdkVersion of all apps in the sharedUserSetting, used to assign seinfo so
- // that all apps within the sharedUser run in the same selinux context.
- int seInfoTargetSdkVersion;
-
final ArraySet<PackageSetting> packages = new ArraySet<PackageSetting>();
final PackageSignatures signatures = new PackageSignatures();
}
void addPackage(PackageSetting packageSetting) {
- // If this is the first package added to this shared user, temporarily (until next boot) use
- // its targetSdkVersion when assigning seInfo for the shared user.
- if ((packages.size() == 0) && (packageSetting.pkg != null)) {
- seInfoTargetSdkVersion = packageSetting.pkg.applicationInfo.targetSdkVersion;
- }
if (packages.add(packageSetting)) {
setFlags(this.pkgFlags | packageSetting.pkgFlags);
setPrivateFlags(this.pkgPrivateFlags | packageSetting.pkgPrivateFlags);
public boolean isPrivileged() {
return (this.pkgPrivateFlags & ApplicationInfo.PRIVATE_FLAG_PRIVILEGED) != 0;
}
-
- /**
- * Determine the targetSdkVersion for a sharedUser and update pkg.applicationInfo.seInfo
- * to ensure that all apps within the sharedUser share an SELinux domain. Use the lowest
- * targetSdkVersion of all apps within the shared user, which corresponds to the least
- * restrictive selinux domain.
- */
- public void fixSeInfoLocked() {
- final List<PackageParser.Package> pkgList = getPackages();
-
- for (PackageParser.Package pkg : pkgList) {
- if (pkg.applicationInfo.targetSdkVersion < seInfoTargetSdkVersion) {
- seInfoTargetSdkVersion = pkg.applicationInfo.targetSdkVersion;
- }
- }
- for (PackageParser.Package pkg : pkgList) {
- final boolean isPrivileged = isPrivileged() | pkg.isPrivileged();
- pkg.applicationInfo.seInfo = SELinuxMMAC.getSeInfo(pkg, isPrivileged,
- pkg.applicationInfo.targetSandboxVersion, seInfoTargetSdkVersion);
- }
- }
-
}