Add minTargetSdkVersion input selector to seapp_contexts

This new input selector allows phasing in new security policies by giving app developers an opportunity to make any needed compatibility changes before updating each app's targetSdkVersion. When all else is equal, matching entries with higher minTargetSdkVersion= values are preferred over entries with lower minTargetSdkVersion= values. Test: Marlin builds and boots. Apps targeting targetSdkVersion<=25 run in untrusted_app_25 domain. Apps targeting the current development build >=26 run in the untrusted_app domain with fewer permissions. No new denials observed during testing. Bug: 34115651 Change-Id: I14bf4f51dbe26cb9bd3f62ad0b281085441d9806

Add minTargetSdkVersion input selector to seapp_contexts
f54b3622 · Michael Peck · Jeff Vander Stoep · daeb5e01 · f54b3622 · f54b3622
Commit f54b3622 authored 8 years ago by Michael Peck Committed by Jeff Vander Stoep 8 years ago
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
 # Input selectors:
-#	isSystemServer (boolean)
+#       isSystemServer (boolean)
-#	isEphemeralApp (boolean)
+#       isEphemeralApp (boolean)
-#	isOwner (boolean)
+#       isOwner (boolean)
-#	user (string)
+#       user (string)
-#	seinfo (string)
+#       seinfo (string)
-#	name (string)
+#       name (string)
-#	path (string)
+#       path (string)
-#	isPrivApp (boolean)
+#       isPrivApp (boolean)
+#       minTargetSdkVersion (unsigned integer)
 # isSystemServer=true can only be used once.
 # An unspecified isSystemServer defaults to false.
 # isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
@@ -19,27 +20,32 @@
 # user=_isolated will match any isolated service UID.
 # isPrivApp=true will only match for applications preinstalled in
 #       /system/priv-app.
+# minTargetSdkVersion will match applications with a targetSdkVersion
+#       greater than or equal to the specified value. If unspecified,
+#       it has a default value of 0.
 # All specified input selectors in an entry must match (i.e. logical AND).
 # Matching is case-insensitive.
 #
 # Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
-# 	  (1) isSystemServer=true before isSystemServer=false.
+#       (1) isSystemServer=true before isSystemServer=false.
-# 	  (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+#       (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
-# 	  (3) Specified isOwner= before unspecified isOwner= boolean.
+#       (3) Specified isOwner= before unspecified isOwner= boolean.
-#	  (4) Specified user= string before unspecified user= string.
+#       (4) Specified user= string before unspecified user= string.
-#	  (5) Fixed user= string before user= prefix (i.e. ending in *).
+#       (5) Fixed user= string before user= prefix (i.e. ending in *).
-#	  (6) Longer user= prefix before shorter user= prefix.
+#       (6) Longer user= prefix before shorter user= prefix.
-#	  (7) Specified seinfo= string before unspecified seinfo= string.
+#       (7) Specified seinfo= string before unspecified seinfo= string.
-#	      ':' character is reserved and may not be used.
+#           ':' character is reserved and may not be used.
-#	  (8) Specified name= string before unspecified name= string.
+#       (8) Specified name= string before unspecified name= string.
-#	  (9) Specified path= string before unspecified path= string.
+#       (9) Specified path= string before unspecified path= string.
-# 	  (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
+#       (10) Specified isPrivApp= before unspecified isPrivApp= boolean.
+#       (11) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
+#              integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
 #
 # Outputs:
-#	domain (string)
+#       domain (string)
-#	type (string)
+#       type (string)
-#	levelFrom (string; one of none, all, app, or user)
+#       levelFrom (string; one of none, all, app, or user)
-#	level (string)
+#       level (string)
 # Only entries that specify domain= will be used for app process labeling.
 # Only entries that specify type= will be used for app directory labeling.
 # levelFrom=user is only supported for _app or _isolated UIDs.

--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -194,6 +194,7 @@ static bool validate_bool(char *value, char **errmsg);
 static bool validate_levelFrom(char *value, char **errmsg);
 static bool validate_selinux_type(char *value, char **errmsg);
 static bool validate_selinux_level(char *value, char **errmsg);
+static bool validate_uint(char *value, char **errmsg);
 /**
 * The heart of the mapping process, this must be updated if a new key value pair is added
@@ -209,6 +210,7 @@ key_map rules[] = {
                { .name = "name",           .dir = dir_in,                              },
                { .name = "path",           .dir = dir_in,                              },
                { .name = "isPrivApp",      .dir = dir_in, .fn_validate = validate_bool },
+                { .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
                /*Outputs*/
                { .name = "domain",         .dir = dir_out, .fn_validate = validate_selinux_type  },
                { .name = "type",           .dir = dir_out, .fn_validate = validate_selinux_type  },
@@ -417,6 +419,19 @@ static bool validate_selinux_level(char *value, char **errmsg) {
 	return true;
 }
+static bool validate_uint(char *value, char **errmsg) {
+	char *endptr;
+	long longvalue;
+	longvalue = strtol(value, &endptr, 10);
+	if (('\0' != *endptr) || (longvalue < 0) || (longvalue > INT32_MAX)) {
+		*errmsg = "Expecting a valid unsigned integer";
+		return false;
+	}
+	return true;
+}
 /**
 * Validates a key_map against a set of enforcement rules, this
 * function exits the application on a type that cannot be properly