/**
* Applies zygote security policy per bugs #875058 and #1082165. Based on the credentials of the
* process issuing a zygote command:
*
* <ol>
* <li>uid 0 (root) may specify any uid, gid, and setgroups() list
* <li>uid 1000 (Process.SYSTEM_UID) may specify any uid > 1000 in normal operation. It may
* also specify any gid and setgroups() list it chooses. In factory test mode, it may
* specify any UID.
* <li>Any other uid may not specify any uid, gid, or setgroups list. The uid and gid will be
* inherited from the requesting process.
* </ul>
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyUidSecurityPolicy(
Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException {
int peerUid = peer.getUid();
if (peerUid == 0) {
// Root can do what it wants
} else if (peerUid == Process.SYSTEM_UID) {
// System UID is restricted, except in factory test mode
String factoryTest = SystemProperties.get("ro.factorytest");
boolean uidRestricted;
/* In normal operation, SYSTEM_UID can only specify a restricted
* set of UIDs. In factory test mode, SYSTEM_UID may specify any uid.
*/
uidRestricted = !(factoryTest.equals("1") || factoryTest.equals("2"));
if (uidRestricted && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) {
throw new ZygoteSecurityException(
"System UID may not launch process with UID < " + Process.SYSTEM_UID);
}
} else {
// Everything else
if (args.uidSpecified || args.gidSpecified || args.gids != null) {
throw new ZygoteSecurityException("App UIDs may not specify uid's or gid's");
}
}
if (args.uidSpecified || args.gidSpecified || args.gids != null) {
boolean allowed =
SELinux.checkSELinuxAccess(
peerSecurityContext, peerSecurityContext, "zygote", "specifyids");
if (!allowed) {
throw new ZygoteSecurityException("Peer may not specify uid's or gid's");
}
}
// If not otherwise specified, uid and gid are inherited from peer
if (!args.uidSpecified) {
args.uid = peer.getUid();
args.uidSpecified = true;
}
if (!args.gidSpecified) {
args.gid = peer.getGid();
args.gidSpecified = true;
}
}
/**
* Applies zygote security policy. Based on the credentials of the process issuing a zygote
* command:
*
* <ol>
* <li>uid 0 (root) may specify --invoke-with to launch Zygote with a wrapper command.
* <li>Any other uid may not specify any invoke-with argument.
* </ul>
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer)
throws ZygoteSecurityException {
int peerUid = peer.getUid();
if (args.invokeWith != null && peerUid != 0) {
throw new ZygoteSecurityException(
"Peer is not permitted to specify " + "an explicit invoke-with wrapper command");
}
}
/**
* Applies zygote security policy per bug #1042973. Based on the credentials of the process
* issuing a zygote command:
*
* <ol>
* <li>peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) may specify any rlimits.
* <li>All other uids may not specify rlimits.
* </ul>
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyRlimitSecurityPolicy(Arguments args, Credentials peer)
throws ZygoteSecurityException {
int peerUid = peer.getUid();
if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) {
// All peers with UID other than root or SYSTEM_UID
if (args.rlimits != null) {
throw new ZygoteSecurityException("This UID may not specify rlimits.");
}
}
}
/**
* Applies zygote security policy per bug #1042973. A root peer may spawn an instance with any
* capabilities. All other uids may spawn instances with any of the capabilities in the peer's
* permitted set but no more.
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyCapabilitiesSecurityPolicy(
Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException {
if (args.permittedCapabilities == 0 && args.effectiveCapabilities == 0) {
// nothing to check
return;
}
boolean allowed =
SELinux.checkSELinuxAccess(
peerSecurityContext, peerSecurityContext, "zygote", "specifycapabilities");
if (!allowed) {
throw new ZygoteSecurityException("Peer may not specify capabilities");
}
if (peer.getUid() == 0) {
// root may specify anything
return;
}
long permittedCaps;
try {
permittedCaps = ZygoteInit.capgetPermitted(peer.getPid());
} catch (IOException ex) {
throw new ZygoteSecurityException("Error retrieving peer's capabilities.");
}
/*
* Ensure that the client did not specify an effective set larger
* than the permitted set. The kernel will enforce this too, but we
* do it here to make the following check easier.
*/
if (((~args.permittedCapabilities) & args.effectiveCapabilities) != 0) {
throw new ZygoteSecurityException(
"Effective capabilities cannot be superset of " + " permitted capabilities");
}
/*
* Ensure that the new permitted (and thus the new effective) set is
* a subset of the peer process's permitted set
*/
if (((~permittedCaps) & args.permittedCapabilities) != 0) {
throw new ZygoteSecurityException("Peer specified unpermitted capabilities");
}
}
/**
* Applies zygote security policy. Based on the credentials of the process issuing a zygote
* command:
*
* <ol>
* <li>uid 0 (root) may specify --invoke-with to launch Zygote with a wrapper command.
* <li>Any other uid may not specify any invoke-with argument.
* </ul>
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyInvokeWithSecurityPolicy(
Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException {
int peerUid = peer.getUid();
if (args.invokeWith != null && peerUid != 0) {
throw new ZygoteSecurityException(
"Peer is not permitted to specify " + "an explicit invoke-with wrapper command");
}
if (args.invokeWith != null) {
boolean allowed =
SELinux.checkSELinuxAccess(
peerSecurityContext, peerSecurityContext, "zygote", "specifyinvokewith");
if (!allowed) {
throw new ZygoteSecurityException(
"Peer is not permitted to specify " + "an explicit invoke-with wrapper command");
}
}
}
/**
* Applies zygote security policy per bug #1042973. Based on the credentials of the process
* issuing a zygote command:
*
* <ol>
* <li>peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) may specify any rlimits.
* <li>All other uids may not specify rlimits.
* </ul>
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyRlimitSecurityPolicy(
Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException {
int peerUid = peer.getUid();
if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) {
// All peers with UID other than root or SYSTEM_UID
if (args.rlimits != null) {
throw new ZygoteSecurityException("This UID may not specify rlimits.");
}
}
if (args.rlimits != null) {
boolean allowed =
SELinux.checkSELinuxAccess(
peerSecurityContext, peerSecurityContext, "zygote", "specifyrlimits");
if (!allowed) {
throw new ZygoteSecurityException("Peer may not specify rlimits");
}
}
}
/**
* Applies zygote security policy for SEAndroid information.
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
private static void applyseInfoSecurityPolicy(
Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException {
int peerUid = peer.getUid();
if (args.seInfo == null) {
// nothing to check
return;
}
if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) {
// All peers with UID other than root or SYSTEM_UID
throw new ZygoteSecurityException("This UID may not specify SEAndroid info.");
}
boolean allowed =
SELinux.checkSELinuxAccess(
peerSecurityContext, peerSecurityContext, "zygote", "specifyseinfo");
if (!allowed) {
throw new ZygoteSecurityException("Peer may not specify SEAndroid info");
}
return;
}