summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--services/core/java/com/android/server/am/ProcessList.java37
-rw-r--r--services/tests/mockingservicestests/src/com/android/server/am/ActivityManagerServiceTest.java82
2 files changed, 115 insertions, 4 deletions
diff --git a/services/core/java/com/android/server/am/ProcessList.java b/services/core/java/com/android/server/am/ProcessList.java
index f7d040834065..7c0797020f03 100644
--- a/services/core/java/com/android/server/am/ProcessList.java
+++ b/services/core/java/com/android/server/am/ProcessList.java
@@ -36,6 +36,7 @@ import static android.os.Process.killProcessQuiet;
import static android.os.Process.startWebView;
import static android.system.OsConstants.*;
+import static com.android.sdksandbox.flags.Flags.selinuxSdkSandboxAudit;
import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_LRU;
import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_NETWORK;
import static com.android.server.am.ActivityManagerDebugConfig.DEBUG_PROCESSES;
@@ -183,6 +184,7 @@ public final class ProcessList {
static final String ANDROID_VOLD_APP_DATA_ISOLATION_ENABLED_PROPERTY =
"persist.sys.vold_app_data_isolation_enabled";
+ private static final String APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS = ":isSdkSandboxAudit";
private static final String APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS = ":isSdkSandboxNext";
// OOM adjustments for processes in various states:
@@ -549,6 +551,10 @@ public final class ProcessList {
ActivityManagerGlobalLock mProcLock;
+ private static final String PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS =
+ "apply_sdk_sandbox_audit_restrictions";
+ private static final boolean DEFAULT_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS = false;
+
private static final String PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS =
"apply_sdk_sandbox_next_restrictions";
private static final boolean DEFAULT_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS = false;
@@ -573,6 +579,13 @@ public final class ProcessList {
private final Object mLock = new Object();
@GuardedBy("mLock")
+ private boolean mSdkSandboxApplyRestrictionsAudit =
+ DeviceConfig.getBoolean(
+ DeviceConfig.NAMESPACE_ADSERVICES,
+ PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS,
+ DEFAULT_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);
+
+ @GuardedBy("mLock")
private boolean mSdkSandboxApplyRestrictionsNext =
DeviceConfig.getBoolean(
DeviceConfig.NAMESPACE_ADSERVICES,
@@ -593,6 +606,12 @@ public final class ProcessList {
DeviceConfig.removeOnPropertiesChangedListener(this);
}
+ boolean applySdkSandboxRestrictionsAudit() {
+ synchronized (mLock) {
+ return mSdkSandboxApplyRestrictionsAudit;
+ }
+ }
+
boolean applySdkSandboxRestrictionsNext() {
synchronized (mLock) {
return mSdkSandboxApplyRestrictionsNext;
@@ -608,6 +627,12 @@ public final class ProcessList {
}
switch (name) {
+ case PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS:
+ mSdkSandboxApplyRestrictionsAudit =
+ properties.getBoolean(
+ PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS,
+ DEFAULT_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);
+ break;
case PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS:
mSdkSandboxApplyRestrictionsNext =
properties.getBoolean(
@@ -2025,10 +2050,14 @@ public final class ProcessList {
String updateSeInfo(ProcessRecord app) {
String extraInfo = "";
// By the time the first the SDK sandbox process is started, device config service
- // should be available.
- if (app.isSdkSandbox
- && getProcessListSettingsListener().applySdkSandboxRestrictionsNext()) {
- extraInfo = APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS;
+ // should be available. If both Next and Audit are enabled, Next takes precedence.
+ if (app.isSdkSandbox) {
+ if (getProcessListSettingsListener().applySdkSandboxRestrictionsNext()) {
+ extraInfo = APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS;
+ } else if (selinuxSdkSandboxAudit()
+ && getProcessListSettingsListener().applySdkSandboxRestrictionsAudit()) {
+ extraInfo = APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS;
+ }
}
return app.info.seInfo
diff --git a/services/tests/mockingservicestests/src/com/android/server/am/ActivityManagerServiceTest.java b/services/tests/mockingservicestests/src/com/android/server/am/ActivityManagerServiceTest.java
index 3ee8050cda3e..032d026648df 100644
--- a/services/tests/mockingservicestests/src/com/android/server/am/ActivityManagerServiceTest.java
+++ b/services/tests/mockingservicestests/src/com/android/server/am/ActivityManagerServiceTest.java
@@ -86,6 +86,9 @@ import android.os.Process;
import android.os.RemoteException;
import android.os.SystemClock;
import android.platform.test.annotations.Presubmit;
+import android.platform.test.annotations.RequiresFlagsEnabled;
+import android.platform.test.flag.junit.CheckFlagsRule;
+import android.platform.test.flag.junit.DeviceFlagsValueProvider;
import android.provider.DeviceConfig;
import android.util.IntArray;
import android.util.Log;
@@ -96,6 +99,7 @@ import androidx.test.filters.SmallTest;
import androidx.test.platform.app.InstrumentationRegistry;
import com.android.dx.mockito.inline.extended.ExtendedMockito;
+import com.android.sdksandbox.flags.Flags;
import com.android.server.LocalServices;
import com.android.server.am.ActivityManagerService.StickyBroadcast;
import com.android.server.am.ProcessList.IsolatedUidRange;
@@ -145,8 +149,11 @@ public class ActivityManagerServiceTest {
private static final String TEST_EXTRA_KEY1 = "com.android.server.am.TEST_EXTRA_KEY1";
private static final String TEST_EXTRA_VALUE1 = "com.android.server.am.TEST_EXTRA_VALUE1";
+ private static final String PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS =
+ "apply_sdk_sandbox_audit_restrictions";
private static final String PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS =
"apply_sdk_sandbox_next_restrictions";
+ private static final String APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS = ":isSdkSandboxAudit";
private static final String APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS = ":isSdkSandboxNext";
private static final int TEST_UID = 11111;
private static final int USER_ID = 666;
@@ -183,6 +190,9 @@ public class ActivityManagerServiceTest {
public final ApplicationExitInfoTest.ServiceThreadRule
mServiceThreadRule = new ApplicationExitInfoTest.ServiceThreadRule();
+ @Rule
+ public final CheckFlagsRule mCheckFlagsRule = DeviceFlagsValueProvider.createCheckFlagsRule();
+
private Context mContext = getInstrumentation().getTargetContext();
@Mock private AppOpsService mAppOpsService;
@@ -338,6 +348,7 @@ public class ActivityManagerServiceTest {
mockitoSession.finishMocking();
}
}
+
@SuppressWarnings("GuardedBy")
@SmallTest
@Test
@@ -367,6 +378,77 @@ public class ActivityManagerServiceTest {
}
}
+ @SuppressWarnings("GuardedBy")
+ @SmallTest
+ @Test
+ @RequiresFlagsEnabled(Flags.FLAG_SELINUX_SDK_SANDBOX_AUDIT)
+ public void applySdkSandboxAuditRestrictions() throws Exception {
+ MockitoSession mockitoSession =
+ ExtendedMockito.mockitoSession().spyStatic(Process.class).startMocking();
+ try {
+ sProcessListSettingsListener.onPropertiesChanged(
+ new DeviceConfig.Properties(
+ DeviceConfig.NAMESPACE_ADSERVICES,
+ Map.of(PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS, "true")));
+ assertThat(sProcessListSettingsListener.applySdkSandboxRestrictionsAudit()).isTrue();
+ ExtendedMockito.doReturn(true).when(() -> Process.isSdkSandboxUid(anyInt()));
+ ApplicationInfo info = new ApplicationInfo();
+ info.packageName = "com.android.sdksandbox";
+ info.seInfo = "default:targetSdkVersion=34:complete";
+ final ProcessRecord appRec =
+ new ProcessRecord(
+ mAms,
+ info,
+ TAG,
+ Process.FIRST_SDK_SANDBOX_UID,
+ /* sdkSandboxClientPackageName= */ "com.example.client",
+ /* definingUid= */ 0,
+ /* definingProcessName= */ "");
+ assertThat(mAms.mProcessList.updateSeInfo(appRec))
+ .contains(APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);
+ } finally {
+ mockitoSession.finishMocking();
+ }
+ }
+
+ @SuppressWarnings("GuardedBy")
+ @SmallTest
+ @Test
+ public void applySdkSandboxNextAndAuditRestrictions() throws Exception {
+ MockitoSession mockitoSession =
+ ExtendedMockito.mockitoSession().spyStatic(Process.class).startMocking();
+ try {
+ sProcessListSettingsListener.onPropertiesChanged(
+ new DeviceConfig.Properties(
+ DeviceConfig.NAMESPACE_ADSERVICES,
+ Map.of(PROPERTY_APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS, "true")));
+ sProcessListSettingsListener.onPropertiesChanged(
+ new DeviceConfig.Properties(
+ DeviceConfig.NAMESPACE_ADSERVICES,
+ Map.of(PROPERTY_APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS, "true")));
+ assertThat(sProcessListSettingsListener.applySdkSandboxRestrictionsNext()).isTrue();
+ assertThat(sProcessListSettingsListener.applySdkSandboxRestrictionsAudit()).isTrue();
+ ExtendedMockito.doReturn(true).when(() -> Process.isSdkSandboxUid(anyInt()));
+ ApplicationInfo info = new ApplicationInfo();
+ info.packageName = "com.android.sdksandbox";
+ info.seInfo = "default:targetSdkVersion=34:complete";
+ final ProcessRecord appRec =
+ new ProcessRecord(
+ mAms,
+ info,
+ TAG,
+ Process.FIRST_SDK_SANDBOX_UID,
+ /* sdkSandboxClientPackageName= */ "com.example.client",
+ /* definingUid= */ 0,
+ /* definingProcessName= */ "");
+ assertThat(mAms.mProcessList.updateSeInfo(appRec))
+ .contains(APPLY_SDK_SANDBOX_NEXT_RESTRICTIONS);
+ assertThat(mAms.mProcessList.updateSeInfo(appRec))
+ .doesNotContain(APPLY_SDK_SANDBOX_AUDIT_RESTRICTIONS);
+ } finally {
+ mockitoSession.finishMocking();
+ }
+ }
private UidRecord addUidRecord(int uid) {
final UidRecord uidRec = new UidRecord(uid, mAms);
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-12-06 20:05:22 +0000