Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7c4787b4 authored by Michael Peck's avatar Michael Peck Committed by Jeff Vander Stoep
Browse files

Pass targetSdkVersion specifier for SELinux labeling 

Motivation:
Provide the ability to phase in new security policies by
applying them to apps with a minimum targetSdkVersion

Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25
run in untrusted_app_25 domain. Apps targeting the current development
build >=26 run in the untrusted_app domain with fewer permissions. No
new denials observed during testing.
Bug: 34115651
Change-Id: Ib9f6ded9bd2f426861a6d843861b4074084253b0
parent d3146f3c

services/core/java/com/android/server/pm/SELinuxMMAC.java

+5 −0
Original line number Diff line number Diff line
@@ -69,6 +69,9 @@ public final class SELinuxMMAC { 
    // Append autoplay to existing seinfo label

    private static final String AUTOPLAY_APP_STR = ":autoplayapp";



    // Append targetSdkVersion=n to existing seinfo label where n is the app's targetSdkVersion

    private static final String TARGETSDKVERSION_STR = ":targetSdkVersion=";



    /**

     * Load the mac_permissions.xml file containing all seinfo assignments used to

     * label apps. The loaded mac_permissions.xml file is determined by the
@@ -290,6 +293,8 @@ public final class SELinuxMMAC { 
        if (pkg.applicationInfo.isPrivilegedApp())

            pkg.applicationInfo.seinfo += PRIVILEGED_APP_STR;



        pkg.applicationInfo.seinfo += TARGETSDKVERSION_STR + pkg.applicationInfo.targetSdkVersion;



        if (DEBUG_POLICY_INSTALL) {

            Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " +

                    "seinfo=" + pkg.applicationInfo.seinfo);