From be484200b616e4eee4a8a8f10e663f9306df0b3a Mon Sep 17 00:00:00 2001 From: Narayan Kamath Date: Fri, 23 Sep 2016 09:07:11 +0100 Subject: Zygote: Additional whitelists for runtime overlay / other static resources. Partially cherry picked from commit 1c15c635785c64a. These files are safe to reopen for the same reason that files in /system/framework are. They're regular files and will not change after the first zygote fork. Bug: 32618130 Change-Id: I119e0bfcbf397cb331064adf148d92a5cd3ea92f (cherry picked from commit 4e8ba1d73eee1311bb78144be43862b393548d5d) --- core/jni/fd_utils-inl.h | 44 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) (limited to 'core/jni/fd_utils-inl.h') diff --git a/core/jni/fd_utils-inl.h b/core/jni/fd_utils-inl.h index f245a7f..30fccf8 100644 --- a/core/jni/fd_utils-inl.h +++ b/core/jni/fd_utils-inl.h @@ -248,9 +248,22 @@ class FileDescriptorInfo { is_sock(false) { } + static bool StartsWith(const std::string& str, const std::string& prefix) { + return str.compare(0, prefix.size(), prefix) == 0; + } + + static bool EndsWith(const std::string& str, const std::string& suffix) { + if (suffix.size() > str.size()) { + return false; + } + + return str.compare(str.size() - suffix.size(), suffix.size(), suffix) == 0; + } + // Returns true iff. a given path is whitelisted. A path is whitelisted // if it belongs to the whitelist (see kPathWhitelist) or if it's a path - // under /system/framework that ends with ".jar". + // under /system/framework that ends with ".jar" or if it is a system + // framework overlay. static bool IsWhitelisted(const std::string& path) { for (size_t i = 0; i < (sizeof(kPathWhitelist) / sizeof(kPathWhitelist[0])); ++i) { if (kPathWhitelist[i] == path) { @@ -260,10 +273,35 @@ class FileDescriptorInfo { static const std::string kFrameworksPrefix = "/system/framework/"; static const std::string kJarSuffix = ".jar"; - if (path.compare(0, kFrameworksPrefix.size(), kFrameworksPrefix) == 0 && - path.compare(path.size() - kJarSuffix.size(), kJarSuffix.size(), kJarSuffix) == 0) { + if (StartsWith(path, kFrameworksPrefix) && EndsWith(path, kJarSuffix)) { return true; } + + // Whitelist files needed for Runtime Resource Overlay, like these: + // /system/vendor/overlay/framework-res.apk + // /system/vendor/overlay-subdir/pg/framework-res.apk + // /data/resource-cache/system@vendor@overlay@framework-res.apk@idmap + // /data/resource-cache/system@vendor@overlay-subdir@pg@framework-res.apk@idmap + // See AssetManager.cpp for more details on overlay-subdir. + static const std::string kOverlayDir = "/system/vendor/overlay/"; + static const std::string kVendorOverlayDir = "/vendor/overlay"; + static const std::string kOverlaySubdir = "/system/vendor/overlay-subdir/"; + static const std::string kApkSuffix = ".apk"; + + if ((StartsWith(path, kOverlayDir) || StartsWith(path, kOverlaySubdir) + || StartsWith(path, kVendorOverlayDir)) + && EndsWith(path, kApkSuffix) + && path.find("/../") == std::string::npos) { + return true; + } + + static const std::string kOverlayIdmapPrefix = "/data/resource-cache/"; + static const std::string kOverlayIdmapSuffix = ".apk@idmap"; + if (StartsWith(path, kOverlayIdmapPrefix) && EndsWith(path, kOverlayIdmapSuffix) + && path.find("/../") == std::string::npos) { + return true; + } + return false; } -- cgit v1.1 From 5a1319ce573a9273404e2ded4bce1459008dd048 Mon Sep 17 00:00:00 2001 From: Narayan Kamath Date: Mon, 7 Nov 2016 19:59:29 +0000 Subject: Zygote: Additional whitelisting for legacy devices. On M and below, we provide a blanket whitelist for all files under "/vendor/zygote_whitelist". This path is whitelisted purely to allow this patch to be applied easily on legacy devices and configurations. Note that this does not amount to a loosening of our security policy because whitelisted files are reopened anyway. Bug: 32691930 Test: manual Change-Id: If5b53f6f0a707f8d36603c09bfd3f72dbfbbbb99 (cherry picked from commit 5e2f7c6229d7191183888d685b57a7d0a2835fce) --- core/jni/fd_utils-inl.h | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'core/jni/fd_utils-inl.h') diff --git a/core/jni/fd_utils-inl.h b/core/jni/fd_utils-inl.h index 30fccf8..6c4ca6b 100644 --- a/core/jni/fd_utils-inl.h +++ b/core/jni/fd_utils-inl.h @@ -302,6 +302,12 @@ class FileDescriptorInfo { return true; } + // All regular files that are placed under this path are whitelisted automatically. + static const std::string kZygoteWhitelistPath = "/vendor/zygote_whitelist/"; + if (StartsWith(path, kZygoteWhitelistPath) && path.find("/../") == std::string::npos) { + return true; + } + return false; } -- cgit v1.1