/** * Applies zygote security policy per bugs #875058 and #1082165. Based on the credentials of the * process issuing a zygote command: * * <ol> * <li>uid 0 (root) may specify any uid, gid, and setgroups() list * <li>uid 1000 (Process.SYSTEM_UID) may specify any uid > 1000 in normal operation. It may * also specify any gid and setgroups() list it chooses. In factory test mode, it may * specify any UID. * <li>Any other uid may not specify any uid, gid, or setgroups list. The uid and gid will be * inherited from the requesting process. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyUidSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (peerUid == 0) { // Root can do what it wants } else if (peerUid == Process.SYSTEM_UID) { // System UID is restricted, except in factory test mode String factoryTest = SystemProperties.get("ro.factorytest"); boolean uidRestricted; /* In normal operation, SYSTEM_UID can only specify a restricted * set of UIDs. In factory test mode, SYSTEM_UID may specify any uid. */ uidRestricted = !(factoryTest.equals("1") || factoryTest.equals("2")); if (uidRestricted && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) { throw new ZygoteSecurityException( "System UID may not launch process with UID < " + Process.SYSTEM_UID); } } else { // Everything else if (args.uidSpecified || args.gidSpecified || args.gids != null) { throw new ZygoteSecurityException("App UIDs may not specify uid's or gid's"); } } if (args.uidSpecified || args.gidSpecified || args.gids != null) { boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyids"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify uid's or gid's"); } } // If not otherwise specified, uid and gid are inherited from peer if (!args.uidSpecified) { args.uid = peer.getUid(); args.uidSpecified = true; } if (!args.gidSpecified) { args.gid = peer.getGid(); args.gidSpecified = true; } }
/** * Applies zygote security policy. Based on the credentials of the process issuing a zygote * command: * * <ol> * <li>uid 0 (root) may specify --invoke-with to launch Zygote with a wrapper command. * <li>Any other uid may not specify any invoke-with argument. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (args.invokeWith != null && peerUid != 0) { throw new ZygoteSecurityException( "Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } }
/** * Applies zygote security policy per bug #1042973. Based on the credentials of the process * issuing a zygote command: * * <ol> * <li>peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) may specify any rlimits. * <li>All other uids may not specify rlimits. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyRlimitSecurityPolicy(Arguments args, Credentials peer) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { // All peers with UID other than root or SYSTEM_UID if (args.rlimits != null) { throw new ZygoteSecurityException("This UID may not specify rlimits."); } } }
/** * Applies zygote security policy per bug #1042973. A root peer may spawn an instance with any * capabilities. All other uids may spawn instances with any of the capabilities in the peer's * permitted set but no more. * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyCapabilitiesSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { if (args.permittedCapabilities == 0 && args.effectiveCapabilities == 0) { // nothing to check return; } boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifycapabilities"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify capabilities"); } if (peer.getUid() == 0) { // root may specify anything return; } long permittedCaps; try { permittedCaps = ZygoteInit.capgetPermitted(peer.getPid()); } catch (IOException ex) { throw new ZygoteSecurityException("Error retrieving peer's capabilities."); } /* * Ensure that the client did not specify an effective set larger * than the permitted set. The kernel will enforce this too, but we * do it here to make the following check easier. */ if (((~args.permittedCapabilities) & args.effectiveCapabilities) != 0) { throw new ZygoteSecurityException( "Effective capabilities cannot be superset of " + " permitted capabilities"); } /* * Ensure that the new permitted (and thus the new effective) set is * a subset of the peer process's permitted set */ if (((~permittedCaps) & args.permittedCapabilities) != 0) { throw new ZygoteSecurityException("Peer specified unpermitted capabilities"); } }
/** * Applies zygote security policy. Based on the credentials of the process issuing a zygote * command: * * <ol> * <li>uid 0 (root) may specify --invoke-with to launch Zygote with a wrapper command. * <li>Any other uid may not specify any invoke-with argument. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyInvokeWithSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (args.invokeWith != null && peerUid != 0) { throw new ZygoteSecurityException( "Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } if (args.invokeWith != null) { boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyinvokewith"); if (!allowed) { throw new ZygoteSecurityException( "Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } } }
/** * Applies zygote security policy per bug #1042973. Based on the credentials of the process * issuing a zygote command: * * <ol> * <li>peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) may specify any rlimits. * <li>All other uids may not specify rlimits. * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyRlimitSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { // All peers with UID other than root or SYSTEM_UID if (args.rlimits != null) { throw new ZygoteSecurityException("This UID may not specify rlimits."); } } if (args.rlimits != null) { boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyrlimits"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify rlimits"); } } }
/** * Applies zygote security policy for SEAndroid information. * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ private static void applyseInfoSecurityPolicy( Arguments args, Credentials peer, String peerSecurityContext) throws ZygoteSecurityException { int peerUid = peer.getUid(); if (args.seInfo == null) { // nothing to check return; } if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { // All peers with UID other than root or SYSTEM_UID throw new ZygoteSecurityException("This UID may not specify SEAndroid info."); } boolean allowed = SELinux.checkSELinuxAccess( peerSecurityContext, peerSecurityContext, "zygote", "specifyseinfo"); if (!allowed) { throw new ZygoteSecurityException("Peer may not specify SEAndroid info"); } return; }