Snap for 10132053 from 8c40c00f3d7b2a2881a38c073bce4dba0e87dba0 to udc-release
Change-Id: I4627507dcb44b58ec3dadf4eed36d4f72039955b
diff --git a/libselinux/src/android/android_seapp.c b/libselinux/src/android/android_seapp.c
index dc3e9da..391165d 100644
--- a/libselinux/src/android/android_seapp.c
+++ b/libselinux/src/android/android_seapp.c
@@ -135,6 +135,7 @@
int32_t minTargetSdkVersion;
bool fromRunAs;
bool isIsolatedComputeApp;
+ bool isSdkSandboxNext;
/* outputs */
char *domain;
char *type;
@@ -241,7 +242,8 @@
(s1->isPrivAppSet && s1->isPrivApp == s2->isPrivApp) &&
(s1->isSystemServer && s1->isSystemServer == s2->isSystemServer) &&
(s1->isEphemeralAppSet && s1->isEphemeralApp == s2->isEphemeralApp) &&
- (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp);
+ (s1->isIsolatedComputeApp && s1->isIsolatedComputeApp == s2->isIsolatedComputeApp) &&
+ (s1->isSdkSandboxNext && s1->isSdkSandboxNext == s2->isSdkSandboxNext);
if (dup) {
seapp_contexts_dup = true;
@@ -526,7 +528,16 @@
free_seapp_context(cur);
goto err;
}
- } else {
+ } else if (!strcasecmp(name, "isSdkSandboxNext")) {
+ if (!strcasecmp(value, "true"))
+ cur->isSdkSandboxNext = true;
+ else if (!strcasecmp(value, "false"))
+ cur->isSdkSandboxNext = false;
+ else {
+ free_seapp_context(cur);
+ goto err;
+ }
+ } else {
free_seapp_context(cur);
goto err;
}
@@ -563,7 +574,7 @@
int i;
for (i = 0; i < nspec; i++) {
cur = seapp_contexts[i];
- selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s user=%s seinfo=%s "
+ selinux_log(SELINUX_INFO, "%s: isSystemServer=%s isEphemeralApp=%s isIsolatedComputeApp=%s isSdkSandboxNext=%s user=%s seinfo=%s "
"name=%s isPrivApp=%s minTargetSdkVersion=%d fromRunAs=%s -> domain=%s type=%s level=%s levelFrom=%s",
__FUNCTION__,
cur->isSystemServer ? "true" : "false",
@@ -574,6 +585,7 @@
cur->minTargetSdkVersion,
cur->fromRunAs ? "true" : "false",
cur->isIsolatedComputeApp ? "true" : "false",
+ cur->isSdkSandboxNext ? "true" : "false",
cur->domain, cur->type, cur->level,
levelFromName[cur->levelFrom]);
}
@@ -628,6 +640,7 @@
#define PRIVILEGED_APP_STR ":privapp"
#define ISOLATED_COMPUTE_APP_STR ":isolatedComputeApp"
+#define APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR ":isSdkSandboxNext"
#define EPHEMERAL_APP_STR ":ephemeralapp"
#define TARGETSDKVERSION_STR ":targetSdkVersion="
#define FROM_RUNAS_STR ":fromRunAs"
@@ -726,6 +739,7 @@
bool isPrivApp = false;
bool isEphemeralApp = false;
bool isIsolatedComputeApp = false;
+ bool isSdkSandboxNext = false;
int32_t targetSdkVersion = 0;
bool fromRunAs = false;
char parsedseinfo[BUFSIZ];
@@ -736,6 +750,7 @@
isPrivApp = strstr(seinfo, PRIVILEGED_APP_STR) ? true : false;
isEphemeralApp = strstr(seinfo, EPHEMERAL_APP_STR) ? true : false;
isIsolatedComputeApp = strstr(seinfo, ISOLATED_COMPUTE_APP_STR) ? true : false;
+ isSdkSandboxNext = strstr(seinfo, APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS_STR) ? true : false;
fromRunAs = strstr(seinfo, FROM_RUNAS_STR) ? true : false;
targetSdkVersion = get_app_targetSdkVersion(seinfo);
if (targetSdkVersion < 0) {
@@ -817,6 +832,9 @@
if (cur->isIsolatedComputeApp != isIsolatedComputeApp)
continue;
+ if (cur->isSdkSandboxNext != isSdkSandboxNext)
+ continue;
+
if (kind == SEAPP_TYPE && !cur->type)
continue;
else if (kind == SEAPP_DOMAIN && !cur->domain)
