diff options
author | dcashman <dcashman@google.com> | 2015-03-05 17:17:47 -0800 |
---|---|---|
committer | dcashman <dcashman@google.com> | 2015-03-09 12:37:08 -0700 |
commit | fc4c0bf8bc162ada28969bacca9dff668a208399 (patch) | |
tree | cf3eb165fe9eae73bb698fdaba19e79e4ae5c52d /core | |
parent | 7a4cb563a29f05658760739d3bc2e70bd6342174 (diff) | |
download | frameworks_base-fc4c0bf8bc162ada28969bacca9dff668a208399.zip frameworks_base-fc4c0bf8bc162ada28969bacca9dff668a208399.tar.gz frameworks_base-fc4c0bf8bc162ada28969bacca9dff668a208399.tar.bz2 |
ZygoteConnection: remove obsolete security checks.
SELinux guarantees that only the system_server and permissive domains such as su
are allowed to connect to the zygote socket. Remove obsolete security checks
that were only applicable when other processes could connect.
Bug: 19624279
Change-Id: I1c925d7facf19b3953b5deb85d992415344c4c9f
Diffstat (limited to 'core')
-rw-r--r-- | core/java/com/android/internal/os/ZygoteConnection.java | 170 |
1 files changed, 22 insertions, 148 deletions
diff --git a/core/java/com/android/internal/os/ZygoteConnection.java b/core/java/com/android/internal/os/ZygoteConnection.java index a55fe9a..9c97cc1 100644 --- a/core/java/com/android/internal/os/ZygoteConnection.java +++ b/core/java/com/android/internal/os/ZygoteConnection.java @@ -77,7 +77,6 @@ class ZygoteConnection { private final DataOutputStream mSocketOutStream; private final BufferedReader mSocketReader; private final Credentials peer; - private final String peerSecurityContext; private final String abiList; /** @@ -98,15 +97,13 @@ class ZygoteConnection { new InputStreamReader(socket.getInputStream()), 256); mSocket.setSoTimeout(CONNECTION_TIMEOUT_MILLIS); - + try { peer = mSocket.getPeerCredentials(); } catch (IOException ex) { Log.e(TAG, "Cannot read peer credentials", ex); throw ex; } - - peerSecurityContext = SELinux.getPeerContext(mSocket.getFileDescriptor()); } /** @@ -178,10 +175,8 @@ class ZygoteConnection { ", effective=0x" + Long.toHexString(parsedArgs.effectiveCapabilities)); } - applyUidSecurityPolicy(parsedArgs, peer, peerSecurityContext); - applyRlimitSecurityPolicy(parsedArgs, peer, peerSecurityContext); - applyInvokeWithSecurityPolicy(parsedArgs, peer, peerSecurityContext); - applyseInfoSecurityPolicy(parsedArgs, peer, peerSecurityContext); + applyUidSecurityPolicy(parsedArgs, peer); + applyInvokeWithSecurityPolicy(parsedArgs, peer); applyDebuggerSystemProperty(parsedArgs); applyInvokeWithSystemProperty(parsedArgs); @@ -582,7 +577,7 @@ class ZygoteConnection { } // See bug 1092107: large argc can be used for a DOS attack - if (argc > MAX_ZYGOTE_ARGC) { + if (argc > MAX_ZYGOTE_ARGC) { throw new IOException("max arg count exceeded"); } @@ -599,63 +594,30 @@ class ZygoteConnection { } /** - * Applies zygote security policy per bugs #875058 and #1082165. - * Based on the credentials of the process issuing a zygote command: - * <ol> - * <li> uid 0 (root) may specify any uid, gid, and setgroups() list - * <li> uid 1000 (Process.SYSTEM_UID) may specify any uid > 1000 in normal + * uid 1000 (Process.SYSTEM_UID) may specify any uid > 1000 in normal * operation. It may also specify any gid and setgroups() list it chooses. * In factory test mode, it may specify any UID. - * <li> Any other uid may not specify any uid, gid, or setgroups list. The - * uid and gid will be inherited from the requesting process. - * </ul> * * @param args non-null; zygote spawner arguments * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ - private static void applyUidSecurityPolicy(Arguments args, Credentials peer, - String peerSecurityContext) + private static void applyUidSecurityPolicy(Arguments args, Credentials peer) throws ZygoteSecurityException { - int peerUid = peer.getUid(); - - if (peerUid == 0) { - // Root can do what it wants - } else if (peerUid == Process.SYSTEM_UID ) { - // System UID is restricted, except in factory test mode + if (peer.getUid() == Process.SYSTEM_UID) { String factoryTest = SystemProperties.get("ro.factorytest"); boolean uidRestricted; /* In normal operation, SYSTEM_UID can only specify a restricted * set of UIDs. In factory test mode, SYSTEM_UID may specify any uid. */ - uidRestricted - = !(factoryTest.equals("1") || factoryTest.equals("2")); + uidRestricted = !(factoryTest.equals("1") || factoryTest.equals("2")); - if (uidRestricted - && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) { + if (uidRestricted && args.uidSpecified && (args.uid < Process.SYSTEM_UID)) { throw new ZygoteSecurityException( "System UID may not launch process with UID < " - + Process.SYSTEM_UID); - } - } else { - // Everything else - if (args.uidSpecified || args.gidSpecified - || args.gids != null) { - throw new ZygoteSecurityException( - "App UIDs may not specify uid's or gid's"); - } - } - - if (args.uidSpecified || args.gidSpecified || args.gids != null) { - boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext, - peerSecurityContext, - "zygote", - "specifyids"); - if (!allowed) { - throw new ZygoteSecurityException( - "Peer may not specify uid's or gid's"); + + Process.SYSTEM_UID); } } @@ -670,7 +632,6 @@ class ZygoteConnection { } } - /** * Applies debugger system properties to the zygote arguments. * @@ -687,44 +648,6 @@ class ZygoteConnection { } /** - * Applies zygote security policy per bug #1042973. Based on the credentials - * of the process issuing a zygote command: - * <ol> - * <li> peers of uid 0 (root) and uid 1000 (Process.SYSTEM_UID) - * may specify any rlimits. - * <li> All other uids may not specify rlimits. - * </ul> - * @param args non-null; zygote spawner arguments - * @param peer non-null; peer credentials - * @throws ZygoteSecurityException - */ - private static void applyRlimitSecurityPolicy( - Arguments args, Credentials peer, String peerSecurityContext) - throws ZygoteSecurityException { - - int peerUid = peer.getUid(); - - if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { - // All peers with UID other than root or SYSTEM_UID - if (args.rlimits != null) { - throw new ZygoteSecurityException( - "This UID may not specify rlimits."); - } - } - - if (args.rlimits != null) { - boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext, - peerSecurityContext, - "zygote", - "specifyrlimits"); - if (!allowed) { - throw new ZygoteSecurityException( - "Peer may not specify rlimits"); - } - } - } - - /** * Applies zygote security policy. * Based on the credentials of the process issuing a zygote command: * <ol> @@ -737,8 +660,7 @@ class ZygoteConnection { * @param peer non-null; peer credentials * @throws ZygoteSecurityException */ - private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer, - String peerSecurityContext) + private static void applyInvokeWithSecurityPolicy(Arguments args, Credentials peer) throws ZygoteSecurityException { int peerUid = peer.getUid(); @@ -746,52 +668,6 @@ class ZygoteConnection { throw new ZygoteSecurityException("Peer is not permitted to specify " + "an explicit invoke-with wrapper command"); } - - if (args.invokeWith != null) { - boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext, - peerSecurityContext, - "zygote", - "specifyinvokewith"); - if (!allowed) { - throw new ZygoteSecurityException("Peer is not permitted to specify " - + "an explicit invoke-with wrapper command"); - } - } - } - - /** - * Applies zygote security policy for SELinux information. - * - * @param args non-null; zygote spawner arguments - * @param peer non-null; peer credentials - * @throws ZygoteSecurityException - */ - private static void applyseInfoSecurityPolicy( - Arguments args, Credentials peer, String peerSecurityContext) - throws ZygoteSecurityException { - int peerUid = peer.getUid(); - - if (args.seInfo == null) { - // nothing to check - return; - } - - if (!(peerUid == 0 || peerUid == Process.SYSTEM_UID)) { - // All peers with UID other than root or SYSTEM_UID - throw new ZygoteSecurityException( - "This UID may not specify SELinux info."); - } - - boolean allowed = SELinux.checkSELinuxAccess(peerSecurityContext, - peerSecurityContext, - "zygote", - "specifyseinfo"); - if (!allowed) { - throw new ZygoteSecurityException( - "Peer may not specify SELinux info"); - } - - return; } /** @@ -801,21 +677,19 @@ class ZygoteConnection { */ public static void applyInvokeWithSystemProperty(Arguments args) { if (args.invokeWith == null && args.niceName != null) { - if (args.niceName != null) { - String property = "wrap." + args.niceName; - if (property.length() > 31) { - // Properties with a trailing "." are illegal. - if (property.charAt(30) != '.') { - property = property.substring(0, 31); - } else { - property = property.substring(0, 30); - } - } - args.invokeWith = SystemProperties.get(property); - if (args.invokeWith != null && args.invokeWith.length() == 0) { - args.invokeWith = null; + String property = "wrap." + args.niceName; + if (property.length() > 31) { + // Properties with a trailing "." are illegal. + if (property.charAt(30) != '.') { + property = property.substring(0, 31); + } else { + property = property.substring(0, 30); } } + args.invokeWith = SystemProperties.get(property); + if (args.invokeWith != null && args.invokeWith.length() == 0) { + args.invokeWith = null; + } } } |