/** * Applies zygote security policy per bug #1042973. A root peer may spawn an instance with any * capabilities. All other uids may spawn instances with any of the capabilities in the peer's * permitted set but no more. * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyCapabilitiesSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { if (args.permittedCapabilities == 0 && args.effectiveCapabilities == 0) { // nothing to check return; } boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifycapabilities"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify capabilities"); } if (peer.getUid() == 0) { // root may specify anything return; } long permittedCaps; try { permittedCaps = ZygoteInit.capgetPermitted(peer.getPid()); } catch (IOException ex) { throw new ZygoteSecurityException("Error retrieving peer's capabilities."); } /* * Ensure that the client did not specify an effective set larger * than the permitted set. The kernel will enforce this too, but we * do it here to make the following check easier. */ if (((~args.permittedCapabilities) & args.effectiveCapabilities) != 0) { throw new ZygoteSecurityException( "Effective capabilities cannot be superset of " + " permitted capabilities"); } /* * Ensure that the new permitted (and thus the new effective) set is * a subset of the peer process's permitted set */ if (((~permittedCaps) & args.permittedCapabilities) != 0) { throw new ZygoteSecurityException("Peer specified unpermitted capabilities"); } }
/** * Applies zygote security policy per bugs #875058 and #1082165. Based on the credentials of the * process issuing a zygote command: * * <ol> * <li>uid 0 (root) may specify any uid, gid, and setgroups() list * <li>uid 1000 (Process.SYSTEM_UID) may specify any uid > 1000 in normal operation. It may * also specify any gid and setgroups() list it chooses. In factory test mode, it may * specify any UID. * <li>Any other uid may not specify any uid, gid, or setgroups list. The uid and gid will be * inherited from the requesting process. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyUidSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (peerUid == 0) { // Root can do what it wants } else if (peerUid == Process.SYSTEM_UID) { // System UID is restricted, except in factory test mode String factoryTest = SystemProperties.get("ro.factorytest"); boolean uidRestricted; /* In normal operation, SYSTEM_UID can only specify a restricted * set of UIDs. In factory test mode, SYSTEM_UID may specify any uid. */ uidRestricted = !(factoryTest.equals("1") || factoryTest.equals("2")); if (uidRestricted && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) { throw new ZygoteSecurityException( "System UID may not launch process with UID < " + Process.SYSTEM_UID); } } else { // Everything else if (args.uidSpecified || args.gidSpecified || args.gids != null) { throw new ZygoteSecurityException("App UIDs may not specify uid's or gid's"); } } if (args.uidSpecified || args.gidSpecified || args.gids != null) { boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyids"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify uid's or gid's"); } } // If not otherwise specified, uid and gid are inherited from peer if (!args.uidSpecified) { args.uid = peer.getUid(); args.uidSpecified = true; } if (!args.gidSpecified) { args.gid = peer.getGid(); args.gidSpecified = true; } }
/** * Applies zygote security policy. Based on the credentials of the process issuing a zygote * command: * * <ol> * <li>uid 0 (root) may specify --invoke-with to launch Zygote with a wrapper command. * <li>Any other uid may not specify any invoke-with argument. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (args.invokeWith != null && peerUid != 0) { throw new ZygoteSecurityException( "Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } }
private void setChildPgid(int pid) { // Try to move the new child into the peer's process group. try { ZygoteInit.setpgid(pid, ZygoteInit.getpgid(peer.getPid())); } catch (IOException ex) { // This exception is expected in the case where // the peer is not in our session // TODO get rid of this log message in the case where // getsid(0) != getsid(peer.getPid()) Log.i(TAG, "Zygote: setpgid failed. This is " + "normal if peer is not in our session"); } }
/** * Applies zygote security policy per bug #1042973. Based on the credentials of the process * issuing a zygote command: * * <ol> * <li>peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) may specify any rlimits. * <li>All other uids may not specify rlimits. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyRlimitSecurityPolicy(Arguments args, Credentials peer) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { // All peers with UID other than root or SYSTEM_UID if (args.rlimits != null) { throw new ZygoteSecurityException("This UID may not specify rlimits."); } } }
/** * Applies zygote security policy. Based on the credentials of the process issuing a zygote * command: * * <ol> * <li>uid 0 (root) may specify --invoke-with to launch Zygote with a wrapper command. * <li>Any other uid may not specify any invoke-with argument. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyInvokeWithSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (args.invokeWith != null && peerUid != 0) { throw new ZygoteSecurityException( "Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } if (args.invokeWith != null) { boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyinvokewith"); if (!allowed) { throw new ZygoteSecurityException( "Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } } }
/** * Applies zygote security policy per bug #1042973. Based on the credentials of the process * issuing a zygote command: * * <ol> * <li>peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) may specify any rlimits. * <li>All other uids may not specify rlimits. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyRlimitSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { // All peers with UID other than root or SYSTEM_UID if (args.rlimits != null) { throw new ZygoteSecurityException("This UID may not specify rlimits."); } } if (args.rlimits != null) { boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyrlimits"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify rlimits"); } } }
/** * Applies zygote security policy for SEAndroid information. * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyseInfoSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (args.seInfo == null) { // nothing to check return; } if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { // All peers with UID other than root or SYSTEM_UID throw new ZygoteSecurityException("This UID may not specify SEAndroid info."); } boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyseinfo"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify SEAndroid info"); } return; }
public void testLocalConnections() throws IOException { // create client and server socket LocalServerSocket localServerSocket = new LocalServerSocket(mSockAddr); LocalSocket clientSocket = new LocalSocket(); // establish connection between client and server LocalSocketAddress locSockAddr = new LocalSocketAddress(mSockAddr); assertFalse(clientSocket.isConnected()); clientSocket.connect(locSockAddr); assertTrue(clientSocket.isConnected()); LocalSocket serverSocket = localServerSocket.accept(); Credentials credent = clientSocket.getPeerCredentials(); assertTrue(0 != credent.getPid()); // send data from client to server OutputStream clientOutStream = clientSocket.getOutputStream(); clientOutStream.write(12); InputStream serverInStream = serverSocket.getInputStream(); assertEquals(12, serverInStream.read()); // send data from server to client OutputStream serverOutStream = serverSocket.getOutputStream(); serverOutStream.write(3); InputStream clientInStream = clientSocket.getInputStream(); assertEquals(3, clientInStream.read()); // Test sending and receiving file descriptors clientSocket.setFileDescriptorsForSend(new FileDescriptor[] {FileDescriptor.in}); clientOutStream.write(32); assertEquals(32, serverInStream.read()); FileDescriptor[] out = serverSocket.getAncillaryFileDescriptors(); assertEquals(1, out.length); FileDescriptor fd = clientSocket.getFileDescriptor(); assertTrue(fd.valid()); // shutdown input stream of client clientSocket.shutdownInput(); assertEquals(-1, clientInStream.read()); // shutdown output stream of client clientSocket.shutdownOutput(); try { clientOutStream.write(10); fail("testLocalSocket shouldn't come to here"); } catch (IOException e) { // expected } // shutdown input stream of server serverSocket.shutdownInput(); assertEquals(-1, serverInStream.read()); // shutdown output stream of server serverSocket.shutdownOutput(); try { serverOutStream.write(10); fail("testLocalSocket shouldn't come to here"); } catch (IOException e) { // expected } // close client socket clientSocket.close(); try { clientInStream.read(); fail("testLocalSocket shouldn't come to here"); } catch (IOException e) { // expected } // close server socket serverSocket.close(); try { serverInStream.read(); fail("testLocalSocket shouldn't come to here"); } catch (IOException e) { // expected } }