Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 742ebd45 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

reland: pm: Apps with shared UID must also share selinux domain 

There are two existing cases where apps that share a sharedUserId
potentially end up in separate SELinux domains.

1. An app installed in /system/priv-app runs in the priv_app domain.
   An app installed on the /data partition which shares a
   sharedUserId with that priv_app would run in the untrusted_app
   domain (e.g. GTS b/72235911). This issue has existed since
   Android N.
2. The untrusted_app domain may now deprecate permissions based on
   targetSdkVersion, so apps with sharedUserId may have different
   permissions based on which targetSdkVersion they use. This issue
   has existed since Android O, but is particularly problematic for
   feature "Deprecate world accessible app data" which puts every app
   targeting P+ into its own selinux domain.

This change fixes #1 and adds a temporary workaround to prevent #2.

Updated version considers both SharedUserSetting.isPrivileged() and
pkg.isPrivileged() for the case where the app has a shared User.

Test: cts-tradefed run cts -m CtsSelinuxTargetSdkCurrentTestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk27TestCases
Test: cts-tradefed run cts -m CtsSelinuxTargetSdk25TestCases
Test: confirm via packages.list that apps end up in the same
    selinux domain before and after this patch.
Bug: 72290969
Change-Id: I974bea88004622b70633fdeb54a1372fd04c6eff
parent dd020f6f

services/core/java/com/android/server/pm/PackageManagerService.java

+15 −3
Original line number Diff line number Diff line
@@ -9991,8 +9991,7 @@ Slog.e("TODD", 
                // priv-apps.

                synchronized (mPackages) {

                    PackageSetting platformPkgSetting = mSettings.mPackages.get("android");

                    if (!pkg.packageName.equals("android")

                            && (compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures,

                    if ((compareSignatures(platformPkgSetting.signatures.mSigningDetails.signatures,

                                pkg.mSigningDetails.signatures) != PackageManager.SIGNATURE_MATCH)) {

                        scanFlags |= SCAN_AS_PRIVILEGED;

                    }
@@ -10459,7 +10458,20 @@ Slog.e("TODD", 
            pkg.applicationInfo.flags |= ApplicationInfo.FLAG_UPDATED_SYSTEM_APP;

        }













        SELinuxMMAC.assignSeInfoValue(pkg);













        // SELinux sandboxes become more restrictive as targetSdkVersion increases.













        // To ensure that apps with sharedUserId are placed in the same selinux domain













        // without breaking any assumptions about access, put them into the least













        // restrictive targetSdkVersion=25 domain.













        // TODO(b/72290969): Base this on the actual targetSdkVersion(s) of the apps within the













        // sharedUserSetting, instead of defaulting to the least restrictive domain.













        final int targetSdk = (sharedUserSetting != null) ? 25













                : pkg.applicationInfo.targetSdkVersion;













        // TODO(b/71593002): isPrivileged for sharedUser and appInfo should never be out of sync.













        // They currently can be if the sharedUser apps are signed with the platform key.













        final boolean isPrivileged = (sharedUserSetting != null) ?













            sharedUserSetting.isPrivileged() | pkg.isPrivileged() : pkg.isPrivileged();

























        SELinuxMMAC.assignSeInfoValue(pkg, isPrivileged, targetSdk);





























        pkg.mExtras = pkgSetting;















        pkg.applicationInfo.processName = fixProcessName(

























services/core/java/com/android/server/pm/SELinuxMMAC.java



+5
−3




























Original line number
Diff line number
Diff line








@@ -315,7 +315,8 @@ public final class SELinuxMMAC {













     *















     * @param pkg object representing the package to be labeled.















     */













    public static void assignSeInfoValue(PackageParser.Package pkg) {













    public static void assignSeInfoValue(PackageParser.Package pkg, boolean isPrivileged,













            int targetSdkVersion) {















        synchronized (sPolicies) {















            if (!sPolicyRead) {















                if (DEBUG_POLICY) {









@@ -335,10 +336,11 @@ public final class SELinuxMMAC {













        if (pkg.applicationInfo.targetSandboxVersion == 2)















            pkg.applicationInfo.seInfo += SANDBOX_V2_STR;





























        if (pkg.applicationInfo.isPrivilegedApp())













        if (isPrivileged) {















            pkg.applicationInfo.seInfo += PRIVILEGED_APP_STR;













        }





























        pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + pkg.applicationInfo.targetSdkVersion;













        pkg.applicationInfo.seInfo += TARGETSDKVERSION_STR + targetSdkVersion;































        if (DEBUG_POLICY_INSTALL) {















            Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " +