Merge "Add sdk_sandbox_audit to updateSeInfo" into main

import static android.os.Process.startWebView;

import static android.system.OsConstants.*;

import static com.android.sdksandbox.flags.Flags.selinuxSdkSandboxAudit;

import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_LRU;

import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_NETWORK;

import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_PROCESSES;

    static final String ANDROID_VOLD_APP_DATA_ISOLATION_ENABLED_PROPERTY =

            "persist.sys.vold_app_data_isolation_enabled";

    private static final String APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS = ":isSdkSandboxAudit";

    private static final String APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS = ":isSdkSandboxNext";

    // OOM adjustments for processes in various states:

    ActivityManagerGlobalLock mProcLock;

    private static final String PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS =

            "apply_sdk_sandbox_audit_restrictions";

    private static final boolean DEFAULT_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS = false;

    private static final String PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS =

            "apply_sdk_sandbox_next_restrictions";

    private static final boolean DEFAULT_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS = false;

        private final Context mContext;

        private final Object mLock = new Object();

        @GuardedBy("mLock")

        private boolean mSdkSandboxApplyRestrictionsAudit =

                DeviceConfig.getBoolean(

                DeviceConfig.NAMESPACE_ADSERVICES,

                PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS,

                DEFAULT_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);

        @GuardedBy("mLock")

        private boolean mSdkSandboxApplyRestrictionsNext =

                DeviceConfig.getBoolean(

            DeviceConfig.removeOnPropertiesChangedListener(this);

        }

        boolean applySdkSandboxRestrictionsAudit() {

            synchronized (mLock) {

                return mSdkSandboxApplyRestrictionsAudit;

            }

        }

        boolean applySdkSandboxRestrictionsNext() {

            synchronized (mLock) {

                return mSdkSandboxApplyRestrictionsNext;

                    }

                    switch (name) {

                        case PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS:

                            mSdkSandboxApplyRestrictionsAudit =

                                properties.getBoolean(

                                    PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS,

                                    DEFAULT_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);

                            break;

                        case PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS:

                            mSdkSandboxApplyRestrictionsNext =

                                properties.getBoolean(

    String updateSeInfo(ProcessRecord app) {

        String extraInfo = "";

        // By the time the first the SDK sandbox process is started, device config service

        // should be available.

        if (app.isSdkSandbox

                && getProcessListSettingsListener().applySdkSandboxRestrictionsNext()) {

        // should be available. If both Next and Audit are enabled, Next takes precedence.

        if (app.isSdkSandbox) {

            if (getProcessListSettingsListener().applySdkSandboxRestrictionsNext()) {

                extraInfo = APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS;

            } else if (selinuxSdkSandboxAudit()

                    && getProcessListSettingsListener().applySdkSandboxRestrictionsAudit()) {

                extraInfo = APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS;

            }

        }

        return app.info.seInfo

import android.os.RemoteException;

import android.os.SystemClock;

import android.platform.test.annotations.Presubmit;

import android.platform.test.annotations.RequiresFlagsEnabled;

import android.platform.test.flag.junit.CheckFlagsRule;

import android.platform.test.flag.junit.DeviceFlagsValueProvider;

import android.provider.DeviceConfig;

import android.util.IntArray;

import android.util.Log;

import androidx.test.platform.app.InstrumentationRegistry;

import com.android.dx.mockito.inline.extended.ExtendedMockito;

import com.android.sdksandbox.flags.Flags;

import com.android.server.LocalServices;

import com.android.server.am.ActivityManagerService.StickyBroadcast;

import com.android.server.am.ProcessList.IsolatedUidRange;

    private static final String TEST_EXTRA_KEY1 = "com.android.server.am.TEST_EXTRA_KEY1";

    private static final String TEST_EXTRA_VALUE1 = "com.android.server.am.TEST_EXTRA_VALUE1";

    private static final String PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS =

            "apply_sdk_sandbox_audit_restrictions";

    private static final String PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS =

            "apply_sdk_sandbox_next_restrictions";

    private static final String APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS = ":isSdkSandboxAudit";

    private static final String APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS = ":isSdkSandboxNext";

    private static final int TEST_UID = 11111;

    private static final int USER_ID = 666;

    public final ApplicationExitInfoTest.ServiceThreadRule

            mServiceThreadRule = new ApplicationExitInfoTest.ServiceThreadRule();

    @Rule

    public final CheckFlagsRule mCheckFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule();

    private Context mContext = getInstrumentation().getTargetContext();

    @Mock private AppOpsService mAppOpsService;

            mockitoSession.finishMocking();

        }

    }

    @SuppressWarnings("GuardedBy")

    @SmallTest

    @Test

        }

    }

    @SuppressWarnings("GuardedBy")

    @SmallTest

    @Test

    @RequiresFlagsEnabled(Flags.FLAG_SELINUX_SDK_SANDBOX_AUDIT)

    public void applySdkSandboxAuditRestrictions() throws Exception {

        MockitoSession mockitoSession =

                ExtendedMockito.mockitoSession().spyStatic(Process.class).startMocking();

        try {

            sProcessListSettingsListener.onPropertiesChanged(

                    new DeviceConfig.Properties(

                            DeviceConfig.NAMESPACE_ADSERVICES,

                            Map.of(PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS, "true")));

            assertThat(sProcessListSettingsListener.applySdkSandboxRestrictionsAudit()).isTrue();

            ExtendedMockito.doReturn(true).when(() -> Process.isSdkSandboxUid(anyInt()));

            ApplicationInfo info = new ApplicationInfo();

            info.packageName = "com.android.sdksandbox";

            info.seInfo = "default:targetSdkVersion=34:complete";

            final ProcessRecord appRec =

                    new ProcessRecord(

                            mAms,

                            info,

                            TAG,

                            Process.FIRST_SDK_SANDBOX_UID,

                            /* sdkSandboxClientPackageName= */ "com.example.client",

                            /* definingUid= */ 0,

                            /* definingProcessName= */ "");

            assertThat(mAms.mProcessList.updateSeInfo(appRec))

                    .contains(APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);

        } finally {

            mockitoSession.finishMocking();

        }

    }

    @SuppressWarnings("GuardedBy")

    @SmallTest

    @Test

    public void applySdkSandboxNextAndAuditRestrictions() throws Exception {

        MockitoSession mockitoSession =

                ExtendedMockito.mockitoSession().spyStatic(Process.class).startMocking();

        try {

            sProcessListSettingsListener.onPropertiesChanged(

                    new DeviceConfig.Properties(

                            DeviceConfig.NAMESPACE_ADSERVICES,

                            Map.of(PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS, "true")));

            sProcessListSettingsListener.onPropertiesChanged(

                    new DeviceConfig.Properties(

                            DeviceConfig.NAMESPACE_ADSERVICES,

                            Map.of(PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS, "true")));

            assertThat(sProcessListSettingsListener.applySdkSandboxRestrictionsNext()).isTrue();

            assertThat(sProcessListSettingsListener.applySdkSandboxRestrictionsAudit()).isTrue();

            ExtendedMockito.doReturn(true).when(() -> Process.isSdkSandboxUid(anyInt()));

            ApplicationInfo info = new ApplicationInfo();

            info.packageName = "com.android.sdksandbox";

            info.seInfo = "default:targetSdkVersion=34:complete";

            final ProcessRecord appRec =

                    new ProcessRecord(

                            mAms,

                            info,

                            TAG,

                            Process.FIRST_SDK_SANDBOX_UID,

                            /* sdkSandboxClientPackageName= */ "com.example.client",

                            /* definingUid= */ 0,

                            /* definingProcessName= */ "");

            assertThat(mAms.mProcessList.updateSeInfo(appRec))

                    .contains(APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS);

            assertThat(mAms.mProcessList.updateSeInfo(appRec))

                    .doesNotContain(APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);

        } finally {

            mockitoSession.finishMocking();

        }

    }

    private UidRecord addUidRecord(int uid) {

        final UidRecord uidRec = new UidRecord(uid, mAms);