summaryrefslogtreecommitdiffstats
path: root/core
diff options
context:
space:
mode:
authordcashman <dcashman@google.com>2015-03-05 17:17:47 -0800
committerdcashman <dcashman@google.com>2015-03-09 12:37:08 -0700
commitfc4c0bf8bc162ada28969bacca9dff668a208399 (patch)
treecf3eb165fe9eae73bb698fdaba19e79e4ae5c52d /core
parent7a4cb563a29f05658760739d3bc2e70bd6342174 (diff)
downloadframeworks_base-fc4c0bf8bc162ada28969bacca9dff668a208399.zip
frameworks_base-fc4c0bf8bc162ada28969bacca9dff668a208399.tar.gz
frameworks_base-fc4c0bf8bc162ada28969bacca9dff668a208399.tar.bz2
ZygoteConnection: remove obsolete security checks.
SELinux guarantees that only the system_server and permissive domains such as su are allowed to connect to the zygote socket. Remove obsolete security checks that were only applicable when other processes could connect. Bug: 19624279 Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
Diffstat (limited to 'core')
-rw-r--r--core/java/com/android/internal/os/ZygoteConnection.java170
1 files changed, 22 insertions, 148 deletions
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java
index a55fe9a..9c97cc1 100644
--- a/core/java/com/android/internal/os/ZygoteConnection.java
+++ b/core/java/com/android/internal/os/ZygoteConnection.java
@@ -77,7 +77,6 @@ class ZygoteConnection {
private final DataOutputStream mSocketOutStream;
private final BufferedReader mSocketReader;
private final Credentials peer;
- private final String peerSecurityContext;
private final String abiList;
/**
@@ -98,15 +97,13 @@ class ZygoteConnection {
new InputStreamReader(socket.getInputStream()), 256);
mSocket.setSoTimeout(CONNECTION_TIMEOUT_MILLIS);
-
+
try {
peer = mSocket.getPeerCredentials();
} catch (IOException ex) {
Log.e(TAG, "Cannot read peer credentials", ex);
throw ex;
}
-
- peerSecurityContext = SELinux.getPeerContext(mSocket.getFileDescriptor());
}
/**
@@ -178,10 +175,8 @@ class ZygoteConnection {
", effective=0x" + Long.toHexString(parsedArgs.effectiveCapabilities));
}
- applyUidSecurityPolicy(parsedArgs, peer, peerSecurityContext);
- applyRlimitSecurityPolicy(parsedArgs, peer, peerSecurityContext);
- applyInvokeWithSecurityPolicy(parsedArgs, peer, peerSecurityContext);
- applyseInfoSecurityPolicy(parsedArgs, peer, peerSecurityContext);
+ applyUidSecurityPolicy(parsedArgs, peer);
+ applyInvokeWithSecurityPolicy(parsedArgs, peer);
applyDebuggerSystemProperty(parsedArgs);
applyInvokeWithSystemProperty(parsedArgs);
@@ -582,7 +577,7 @@ class ZygoteConnection {
}
// See bug 1092107: large argc can be used for a DOS attack
- if (argc > MAX_ZYGOTE_ARGC) {
+ if (argc > MAX_ZYGOTE_ARGC) {
throw new IOException("max arg count exceeded");
}
@@ -599,63 +594,30 @@ class ZygoteConnection {
}
/**
- * Applies zygote security policy per bugs #875058 and #1082165.
- * Based on the credentials of the process issuing a zygote command:
- * <ol>
- * <li> uid 0 (root) may specify any uid, gid, and setgroups() list
- * <li> uid 1000 (Process.SYSTEM_UID) may specify any uid &gt; 1000 in normal
+ * uid 1000 (Process.SYSTEM_UID) may specify any uid &gt; 1000 in normal
* operation. It may also specify any gid and setgroups() list it chooses.
* In factory test mode, it may specify any UID.
- * <li> Any other uid may not specify any uid, gid, or setgroups list. The
- * uid and gid will be inherited from the requesting process.
- * </ul>
*
* @param args non-null; zygote spawner arguments
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
- private static void applyUidSecurityPolicy(Arguments args, Credentials peer,
- String peerSecurityContext)
+ private static void applyUidSecurityPolicy(Arguments args, Credentials peer)
throws ZygoteSecurityException {
- int peerUid = peer.getUid();
-
- if (peerUid == 0) {
- // Root can do what it wants
- } else if (peerUid == Process.SYSTEM_UID ) {
- // System UID is restricted, except in factory test mode
+ if (peer.getUid() == Process.SYSTEM_UID) {
String factoryTest = SystemProperties.get("ro.factorytest");
boolean uidRestricted;
/* In normal operation, SYSTEM_UID can only specify a restricted
* set of UIDs. In factory test mode, SYSTEM_UID may specify any uid.
*/
- uidRestricted
- = !(factoryTest.equals("1") || factoryTest.equals("2"));
+ uidRestricted = !(factoryTest.equals("1") || factoryTest.equals("2"));
- if (uidRestricted
- && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) {
+ if (uidRestricted && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) {
throw new ZygoteSecurityException(
"System UID may not launch process with UID < "
- + Process.SYSTEM_UID);
- }
- } else {
- // Everything else
- if (args.uidSpecified || args.gidSpecified
- || args.gids != null) {
- throw new ZygoteSecurityException(
- "App UIDs may not specify uid's or gid's");
- }
- }
-
- if (args.uidSpecified || args.gidSpecified || args.gids != null) {
- boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext,
- peerSecurityContext,
- "zygote",
- "specifyids");
- if (!allowed) {
- throw new ZygoteSecurityException(
- "Peer may not specify uid's or gid's");
+ + Process.SYSTEM_UID);
}
}
@@ -670,7 +632,6 @@ class ZygoteConnection {
}
}
-
/**
* Applies debugger system properties to the zygote arguments.
*
@@ -687,44 +648,6 @@ class ZygoteConnection {
}
/**
- * Applies zygote security policy per bug #1042973. Based on the credentials
- * of the process issuing a zygote command:
- * <ol>
- * <li> peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID)
- * may specify any rlimits.
- * <li> All other uids may not specify rlimits.
- * </ul>
- * @param args non-null; zygote spawner arguments
- * @param peer non-null; peer credentials
- * @throws ZygoteSecurityException
- */
- private static void applyRlimitSecurityPolicy(
- Arguments args, Credentials peer, String peerSecurityContext)
- throws ZygoteSecurityException {
-
- int peerUid = peer.getUid();
-
- if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) {
- // All peers with UID other than root or SYSTEM_UID
- if (args.rlimits != null) {
- throw new ZygoteSecurityException(
- "This UID may not specify rlimits.");
- }
- }
-
- if (args.rlimits != null) {
- boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext,
- peerSecurityContext,
- "zygote",
- "specifyrlimits");
- if (!allowed) {
- throw new ZygoteSecurityException(
- "Peer may not specify rlimits");
- }
- }
- }
-
- /**
* Applies zygote security policy.
* Based on the credentials of the process issuing a zygote command:
* <ol>
@@ -737,8 +660,7 @@ class ZygoteConnection {
* @param peer non-null; peer credentials
* @throws ZygoteSecurityException
*/
- private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer,
- String peerSecurityContext)
+ private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer)
throws ZygoteSecurityException {
int peerUid = peer.getUid();
@@ -746,52 +668,6 @@ class ZygoteConnection {
throw new ZygoteSecurityException("Peer is not permitted to specify "
+ "an explicit invoke-with wrapper command");
}
-
- if (args.invokeWith != null) {
- boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext,
- peerSecurityContext,
- "zygote",
- "specifyinvokewith");
- if (!allowed) {
- throw new ZygoteSecurityException("Peer is not permitted to specify "
- + "an explicit invoke-with wrapper command");
- }
- }
- }
-
- /**
- * Applies zygote security policy for SELinux information.
- *
- * @param args non-null; zygote spawner arguments
- * @param peer non-null; peer credentials
- * @throws ZygoteSecurityException
- */
- private static void applyseInfoSecurityPolicy(
- Arguments args, Credentials peer, String peerSecurityContext)
- throws ZygoteSecurityException {
- int peerUid = peer.getUid();
-
- if (args.seInfo == null) {
- // nothing to check
- return;
- }
-
- if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) {
- // All peers with UID other than root or SYSTEM_UID
- throw new ZygoteSecurityException(
- "This UID may not specify SELinux info.");
- }
-
- boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext,
- peerSecurityContext,
- "zygote",
- "specifyseinfo");
- if (!allowed) {
- throw new ZygoteSecurityException(
- "Peer may not specify SELinux info");
- }
-
- return;
}
/**
@@ -801,21 +677,19 @@ class ZygoteConnection {
*/
public static void applyInvokeWithSystemProperty(Arguments args) {
if (args.invokeWith == null && args.niceName != null) {
- if (args.niceName != null) {
- String property = "wrap." + args.niceName;
- if (property.length() > 31) {
- // Properties with a trailing "." are illegal.
- if (property.charAt(30) != '.') {
- property = property.substring(0, 31);
- } else {
- property = property.substring(0, 30);
- }
- }
- args.invokeWith = SystemProperties.get(property);
- if (args.invokeWith != null && args.invokeWith.length() == 0) {
- args.invokeWith = null;
+ String property = "wrap." + args.niceName;
+ if (property.length() > 31) {
+ // Properties with a trailing "." are illegal.
+ if (property.charAt(30) != '.') {
+ property = property.substring(0, 31);
+ } else {
+ property = property.substring(0, 30);
}
}
+ args.invokeWith = SystemProperties.get(property);
+ if (args.invokeWith != null && args.invokeWith.length() == 0) {
+ args.invokeWith = null;
+ }
}
}