1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package com.android.server.pm; 18 19 import android.annotation.NonNull; 20 import android.annotation.Nullable; 21 import android.compat.annotation.ChangeId; 22 import android.compat.annotation.Disabled; 23 import android.compat.annotation.EnabledAfter; 24 import android.content.pm.ApplicationInfo; 25 import android.content.pm.Signature; 26 import android.content.pm.SigningDetails; 27 import android.os.Environment; 28 import android.util.Slog; 29 import android.util.Xml; 30 31 import com.android.server.compat.PlatformCompat; 32 import com.android.server.pm.parsing.pkg.AndroidPackageUtils; 33 import com.android.server.pm.pkg.AndroidPackage; 34 import com.android.server.pm.pkg.PackageState; 35 import com.android.server.pm.pkg.SharedUserApi; 36 37 import libcore.io.IoUtils; 38 39 import org.xmlpull.v1.XmlPullParser; 40 import org.xmlpull.v1.XmlPullParserException; 41 42 import java.io.File; 43 import java.io.FileReader; 44 import java.io.IOException; 45 import java.util.ArrayList; 46 import java.util.Collections; 47 import java.util.Comparator; 48 import java.util.HashMap; 49 import java.util.HashSet; 50 import java.util.List; 51 import java.util.Map; 52 import java.util.Set; 53 54 /** 55 * Centralized access to SELinux MMAC (middleware MAC) implementation. This 56 * class is responsible for loading the appropriate mac_permissions.xml file 57 * as well as providing an interface for assigning seinfo values to apks. 58 * 59 * {@hide} 60 */ 61 public final class SELinuxMMAC { 62 63 static final String TAG = "SELinuxMMAC"; 64 65 private static final boolean DEBUG_POLICY = false; 66 private static final boolean DEBUG_POLICY_INSTALL = DEBUG_POLICY || false; 67 private static final boolean DEBUG_POLICY_ORDER = DEBUG_POLICY || false; 68 69 // All policy stanzas read from mac_permissions.xml. This is also the lock 70 // to synchronize access during policy load and access attempts. 71 private static List<Policy> sPolicies = new ArrayList<>(); 72 /** Whether or not the policy files have been read */ 73 private static boolean sPolicyRead; 74 75 /** Required MAC permissions files */ 76 private static List<File> sMacPermissions = new ArrayList<>(); 77 78 private static final String DEFAULT_SEINFO = "default"; 79 80 // Append privapp to existing seinfo label 81 private static final String PRIVILEGED_APP_STR = ":privapp"; 82 83 // Append targetSdkVersion=n to existing seinfo label where n is the app's targetSdkVersion 84 private static final String TARGETSDKVERSION_STR = ":targetSdkVersion="; 85 86 /** 87 * Allows opt-in to the latest targetSdkVersion enforced changes without changing target SDK. 88 * Turning this change on for an app targeting the latest SDK or higher is a no-op. 89 * 90 * <p>Has no effect for apps using shared user id. 91 * 92 * TODO(b/143539591): Update description with relevant SELINUX changes this opts in to. 93 */ 94 @Disabled 95 @ChangeId 96 static final long SELINUX_LATEST_CHANGES = 143539591L; 97 98 /** 99 * This change gates apps access to untrusted_app_R-targetSDK SELinux domain. Allows opt-in 100 * to R targetSdkVersion enforced changes without changing target SDK. Turning this change 101 * off for an app targeting {@code >= android.os.Build.VERSION_CODES.R} is a no-op. 102 * 103 * <p>Has no effect for apps using shared user id. 104 * 105 * TODO(b/143539591): Update description with relevant SELINUX changes this opts in to. 106 */ 107 @EnabledAfter(targetSdkVersion = android.os.Build.VERSION_CODES.Q) 108 @ChangeId 109 static final long SELINUX_R_CHANGES = 168782947L; 110 111 // Only initialize sMacPermissions once. 112 static { 113 // Platform mac permissions. sMacPermissions.add(new File( Environment.getRootDirectory(), R))114 sMacPermissions.add(new File( 115 Environment.getRootDirectory(), "/etc/selinux/plat_mac_permissions.xml")); 116 117 // SystemExt mac permissions (optional). 118 final File systemExtMacPermission = new File( 119 Environment.getSystemExtDirectory(), "/etc/selinux/system_ext_mac_permissions.xml"); 120 if (systemExtMacPermission.exists()) { 121 sMacPermissions.add(systemExtMacPermission); 122 } 123 124 // Product mac permissions (optional). 125 final File productMacPermission = new File( 126 Environment.getProductDirectory(), "/etc/selinux/product_mac_permissions.xml"); 127 if (productMacPermission.exists()) { 128 sMacPermissions.add(productMacPermission); 129 } 130 131 // Vendor mac permissions. 132 final File vendorMacPermission = new File( 133 Environment.getVendorDirectory(), "/etc/selinux/vendor_mac_permissions.xml"); 134 if (vendorMacPermission.exists()) { 135 sMacPermissions.add(vendorMacPermission); 136 } 137 138 // ODM mac permissions (optional). 139 final File odmMacPermission = new File( 140 Environment.getOdmDirectory(), "/etc/selinux/odm_mac_permissions.xml"); 141 if (odmMacPermission.exists()) { 142 sMacPermissions.add(odmMacPermission); 143 } 144 } 145 146 /** 147 * Load the mac_permissions.xml file containing all seinfo assignments used to 148 * label apps. The loaded mac_permissions.xml files are plat_mac_permissions.xml and 149 * vendor_mac_permissions.xml, on /system and /vendor partitions, respectively. 150 * odm_mac_permissions.xml on /odm partition is optional. For further guidance on 151 * the proper structure of a mac_permissions.xml file consult the source code 152 * located at system/sepolicy/private/mac_permissions.xml. 153 * 154 * @return boolean indicating if policy was correctly loaded. A value of false 155 * typically indicates a structural problem with the xml or incorrectly 156 * constructed policy stanzas. A value of true means that all stanzas 157 * were loaded successfully; no partial loading is possible. 158 */ readInstallPolicy()159 public static boolean readInstallPolicy() { 160 synchronized (sPolicies) { 161 if (sPolicyRead) { 162 return true; 163 } 164 } 165 166 // Temp structure to hold the rules while we parse the xml file 167 List<Policy> policies = new ArrayList<>(); 168 169 FileReader policyFile = null; 170 XmlPullParser parser = Xml.newPullParser(); 171 172 final int count = sMacPermissions.size(); 173 for (int i = 0; i < count; ++i) { 174 final File macPermission = sMacPermissions.get(i); 175 try { 176 policyFile = new FileReader(macPermission); 177 Slog.d(TAG, "Using policy file " + macPermission); 178 179 parser.setInput(policyFile); 180 parser.nextTag(); 181 parser.require(XmlPullParser.START_TAG, null, "policy"); 182 183 while (parser.next() != XmlPullParser.END_TAG) { 184 if (parser.getEventType() != XmlPullParser.START_TAG) { 185 continue; 186 } 187 188 switch (parser.getName()) { 189 case "signer": 190 policies.add(readSignerOrThrow(parser)); 191 break; 192 default: 193 skip(parser); 194 } 195 } 196 } catch (IllegalStateException | IllegalArgumentException | 197 XmlPullParserException ex) { 198 StringBuilder sb = new StringBuilder("Exception @"); 199 sb.append(parser.getPositionDescription()); 200 sb.append(" while parsing "); 201 sb.append(macPermission); 202 sb.append(":"); 203 sb.append(ex); 204 Slog.w(TAG, sb.toString()); 205 return false; 206 } catch (IOException ioe) { 207 Slog.w(TAG, "Exception parsing " + macPermission, ioe); 208 return false; 209 } finally { 210 IoUtils.closeQuietly(policyFile); 211 } 212 } 213 214 // Now sort the policy stanzas 215 PolicyComparator policySort = new PolicyComparator(); 216 Collections.sort(policies, policySort); 217 if (policySort.foundDuplicate()) { 218 Slog.w(TAG, "ERROR! Duplicate entries found parsing mac_permissions.xml files"); 219 return false; 220 } 221 222 synchronized (sPolicies) { 223 sPolicies.clear(); 224 sPolicies.addAll(policies); 225 sPolicyRead = true; 226 227 if (DEBUG_POLICY_ORDER) { 228 for (Policy policy : sPolicies) { 229 Slog.d(TAG, "Policy: " + policy.toString()); 230 } 231 } 232 } 233 234 return true; 235 } 236 237 /** 238 * Loop over a signer tag looking for seinfo, package and cert tags. A {@link Policy} 239 * instance will be created and returned in the process. During the pass all other 240 * tag elements will be skipped. 241 * 242 * @param parser an XmlPullParser object representing a signer element. 243 * @return the constructed {@link Policy} instance 244 * @throws IOException 245 * @throws XmlPullParserException 246 * @throws IllegalArgumentException if any of the validation checks fail while 247 * parsing tag values. 248 * @throws IllegalStateException if any of the invariants fail when constructing 249 * the {@link Policy} instance. 250 */ readSignerOrThrow(XmlPullParser parser)251 private static Policy readSignerOrThrow(XmlPullParser parser) throws IOException, 252 XmlPullParserException { 253 254 parser.require(XmlPullParser.START_TAG, null, "signer"); 255 Policy.PolicyBuilder pb = new Policy.PolicyBuilder(); 256 257 // Check for a cert attached to the signer tag. We allow a signature 258 // to appear as an attribute as well as those attached to cert tags. 259 String cert = parser.getAttributeValue(null, "signature"); 260 if (cert != null) { 261 pb.addSignature(cert); 262 } 263 264 while (parser.next() != XmlPullParser.END_TAG) { 265 if (parser.getEventType() != XmlPullParser.START_TAG) { 266 continue; 267 } 268 269 String tagName = parser.getName(); 270 if ("seinfo".equals(tagName)) { 271 String seinfo = parser.getAttributeValue(null, "value"); 272 pb.setGlobalSeinfoOrThrow(seinfo); 273 readSeinfo(parser); 274 } else if ("package".equals(tagName)) { 275 readPackageOrThrow(parser, pb); 276 } else if ("cert".equals(tagName)) { 277 String sig = parser.getAttributeValue(null, "signature"); 278 pb.addSignature(sig); 279 readCert(parser); 280 } else { 281 skip(parser); 282 } 283 } 284 285 return pb.build(); 286 } 287 288 /** 289 * Loop over a package element looking for seinfo child tags. If found return the 290 * value attribute of the seinfo tag, otherwise return null. All other tags encountered 291 * will be skipped. 292 * 293 * @param parser an XmlPullParser object representing a package element. 294 * @param pb a Policy.PolicyBuilder instance to build 295 * @throws IOException 296 * @throws XmlPullParserException 297 * @throws IllegalArgumentException if any of the validation checks fail while 298 * parsing tag values. 299 * @throws IllegalStateException if there is a duplicate seinfo tag for the current 300 * package tag. 301 */ readPackageOrThrow(XmlPullParser parser, Policy.PolicyBuilder pb)302 private static void readPackageOrThrow(XmlPullParser parser, Policy.PolicyBuilder pb) throws 303 IOException, XmlPullParserException { 304 parser.require(XmlPullParser.START_TAG, null, "package"); 305 String pkgName = parser.getAttributeValue(null, "name"); 306 307 while (parser.next() != XmlPullParser.END_TAG) { 308 if (parser.getEventType() != XmlPullParser.START_TAG) { 309 continue; 310 } 311 312 String tagName = parser.getName(); 313 if ("seinfo".equals(tagName)) { 314 String seinfo = parser.getAttributeValue(null, "value"); 315 pb.addInnerPackageMapOrThrow(pkgName, seinfo); 316 readSeinfo(parser); 317 } else { 318 skip(parser); 319 } 320 } 321 } 322 readCert(XmlPullParser parser)323 private static void readCert(XmlPullParser parser) throws IOException, 324 XmlPullParserException { 325 parser.require(XmlPullParser.START_TAG, null, "cert"); 326 parser.nextTag(); 327 } 328 readSeinfo(XmlPullParser parser)329 private static void readSeinfo(XmlPullParser parser) throws IOException, 330 XmlPullParserException { 331 parser.require(XmlPullParser.START_TAG, null, "seinfo"); 332 parser.nextTag(); 333 } 334 skip(XmlPullParser p)335 private static void skip(XmlPullParser p) throws IOException, XmlPullParserException { 336 if (p.getEventType() != XmlPullParser.START_TAG) { 337 throw new IllegalStateException(); 338 } 339 int depth = 1; 340 while (depth != 0) { 341 switch (p.next()) { 342 case XmlPullParser.END_TAG: 343 depth--; 344 break; 345 case XmlPullParser.START_TAG: 346 depth++; 347 break; 348 } 349 } 350 } 351 getTargetSdkVersionForSeInfo(AndroidPackage pkg, SharedUserApi sharedUser, PlatformCompat compatibility)352 private static int getTargetSdkVersionForSeInfo(AndroidPackage pkg, 353 SharedUserApi sharedUser, PlatformCompat compatibility) { 354 // Apps which share a sharedUserId must be placed in the same selinux domain. If this 355 // package is the first app installed as this shared user, set seInfoTargetSdkVersion to its 356 // targetSdkVersion. These are later adjusted in PackageManagerService's constructor to be 357 // the lowest targetSdkVersion of all apps within the shared user, which corresponds to the 358 // least restrictive selinux domain. 359 // NOTE: As new packages are installed / updated, the shared user's seinfoTargetSdkVersion 360 // will NOT be modified until next boot, even if a lower targetSdkVersion is used. This 361 // ensures that all packages continue to run in the same selinux domain. 362 if ((sharedUser != null) && (sharedUser.getPackages().size() != 0)) { 363 return sharedUser.getSeInfoTargetSdkVersion(); 364 } 365 final ApplicationInfo appInfo = AndroidPackageUtils.generateAppInfoWithoutState(pkg); 366 if (compatibility.isChangeEnabledInternal(SELINUX_LATEST_CHANGES, appInfo)) { 367 return Math.max( 368 android.os.Build.VERSION_CODES.CUR_DEVELOPMENT, pkg.getTargetSdkVersion()); 369 } else if (compatibility.isChangeEnabledInternal(SELINUX_R_CHANGES, appInfo)) { 370 return Math.max(android.os.Build.VERSION_CODES.R, pkg.getTargetSdkVersion()); 371 } 372 373 return pkg.getTargetSdkVersion(); 374 } 375 376 /** 377 * Selects a security label to a package based on input parameters and the seinfo tag taken 378 * from a matched policy. All signature based policy stanzas are consulted and, if no match 379 * is found, the default seinfo label of 'default' is used. The security label is attached to 380 * the ApplicationInfo instance of the package. 381 * 382 * @param pkg object representing the package to be labeled. 383 * @param sharedUser if the app shares a sharedUserId, then this has the shared setting. 384 * @param compatibility the PlatformCompat service to ask about state of compat changes. 385 * @return String representing the resulting seinfo. 386 */ getSeInfo(@onNull PackageState packageState, @NonNull AndroidPackage pkg, @Nullable SharedUserApi sharedUser, @NonNull PlatformCompat compatibility)387 public static String getSeInfo(@NonNull PackageState packageState, @NonNull AndroidPackage pkg, 388 @Nullable SharedUserApi sharedUser, @NonNull PlatformCompat compatibility) { 389 final int targetSdkVersion = getTargetSdkVersionForSeInfo(pkg, sharedUser, 390 compatibility); 391 // TODO(b/71593002): isPrivileged for sharedUser and appInfo should never be out of sync. 392 // They currently can be if the sharedUser apps are signed with the platform key. 393 final boolean isPrivileged = 394 (sharedUser != null) ? sharedUser.isPrivileged() | packageState.isPrivileged() 395 : packageState.isPrivileged(); 396 return getSeInfo(pkg, isPrivileged, targetSdkVersion); 397 } 398 399 /** 400 * Selects a security label to a package based on input parameters and the seinfo tag taken 401 * from a matched policy. All signature based policy stanzas are consulted and, if no match 402 * is found, the default seinfo label of 'default' is used. The security label is attached to 403 * the ApplicationInfo instance of the package. 404 * 405 * @param pkg object representing the package to be labeled. 406 * @param isPrivileged boolean. 407 * @param targetSdkVersion int. If this pkg runs as a sharedUser, targetSdkVersion is the 408 * greater of: lowest targetSdk for all pkgs in the sharedUser, or 409 * MINIMUM_TARGETSDKVERSION. 410 * @return String representing the resulting seinfo. 411 */ getSeInfo(AndroidPackage pkg, boolean isPrivileged, int targetSdkVersion)412 public static String getSeInfo(AndroidPackage pkg, boolean isPrivileged, 413 int targetSdkVersion) { 414 String seInfo = null; 415 synchronized (sPolicies) { 416 if (!sPolicyRead) { 417 if (DEBUG_POLICY) { 418 Slog.d(TAG, "Policy not read"); 419 } 420 } else { 421 for (Policy policy : sPolicies) { 422 seInfo = policy.getMatchedSeInfo(pkg); 423 if (seInfo != null) { 424 break; 425 } 426 } 427 } 428 } 429 430 if (seInfo == null) { 431 seInfo = DEFAULT_SEINFO; 432 } 433 434 if (isPrivileged) { 435 seInfo += PRIVILEGED_APP_STR; 436 } 437 438 seInfo += TARGETSDKVERSION_STR + targetSdkVersion; 439 440 if (DEBUG_POLICY_INSTALL) { 441 Slog.i(TAG, "package (" + pkg.getPackageName() + ") labeled with " 442 + "seinfo=" + seInfo); 443 } 444 return seInfo; 445 } 446 } 447 448 /** 449 * Holds valid policy representations of individual stanzas from a mac_permissions.xml 450 * file. Each instance can further be used to assign seinfo values to apks using the 451 * {@link Policy#getMatchedSeInfo(AndroidPackage)} method. To create an instance of this use the 452 * {@link PolicyBuilder} pattern class, where each instance is validated against a set 453 * of invariants before being built and returned. Each instance can be guaranteed to 454 * hold one valid policy stanza as outlined in the system/sepolicy/mac_permissions.xml 455 * file. 456 * <p> 457 * The following is an example of how to use {@link Policy.PolicyBuilder} to create a 458 * signer based Policy instance with only inner package name refinements. 459 * </p> 460 * <pre> 461 * {@code 462 * Policy policy = new Policy.PolicyBuilder() 463 * .addSignature("308204a8...") 464 * .addSignature("483538c8...") 465 * .addInnerPackageMapOrThrow("com.foo.", "bar") 466 * .addInnerPackageMapOrThrow("com.foo.other", "bar") 467 * .build(); 468 * } 469 * </pre> 470 * <p> 471 * The following is an example of how to use {@link Policy.PolicyBuilder} to create a 472 * signer based Policy instance with only a global seinfo tag. 473 * </p> 474 * <pre> 475 * {@code 476 * Policy policy = new Policy.PolicyBuilder() 477 * .addSignature("308204a8...") 478 * .addSignature("483538c8...") 479 * .setGlobalSeinfoOrThrow("paltform") 480 * .build(); 481 * } 482 * </pre> 483 */ 484 final class Policy { 485 486 private final String mSeinfo; 487 private final Set<Signature> mCerts; 488 private final Map<String, String> mPkgMap; 489 490 // Use the PolicyBuilder pattern to instantiate Policy(PolicyBuilder builder)491 private Policy(PolicyBuilder builder) { 492 mSeinfo = builder.mSeinfo; 493 mCerts = Collections.unmodifiableSet(builder.mCerts); 494 mPkgMap = Collections.unmodifiableMap(builder.mPkgMap); 495 } 496 497 /** 498 * Return all the certs stored with this policy stanza. 499 * 500 * @return A set of Signature objects representing all the certs stored 501 * with the policy. 502 */ getSignatures()503 public Set<Signature> getSignatures() { 504 return mCerts; 505 } 506 507 /** 508 * Return whether this policy object contains package name mapping refinements. 509 * 510 * @return A boolean indicating if this object has inner package name mappings. 511 */ hasInnerPackages()512 public boolean hasInnerPackages() { 513 return !mPkgMap.isEmpty(); 514 } 515 516 /** 517 * Return the mapping of all package name refinements. 518 * 519 * @return A Map object whose keys are the package names and whose values are 520 * the seinfo assignments. 521 */ getInnerPackages()522 public Map<String, String> getInnerPackages() { 523 return mPkgMap; 524 } 525 526 /** 527 * Return whether the policy object has a global seinfo tag attached. 528 * 529 * @return A boolean indicating if this stanza has a global seinfo tag. 530 */ hasGlobalSeinfo()531 public boolean hasGlobalSeinfo() { 532 return mSeinfo != null; 533 } 534 535 @Override toString()536 public String toString() { 537 StringBuilder sb = new StringBuilder(); 538 for (Signature cert : mCerts) { 539 sb.append("cert=" + cert.toCharsString().substring(0, 11) + "... "); 540 } 541 542 if (mSeinfo != null) { 543 sb.append("seinfo=" + mSeinfo); 544 } 545 546 for (String name : mPkgMap.keySet()) { 547 sb.append(" " + name + "=" + mPkgMap.get(name)); 548 } 549 550 return sb.toString(); 551 } 552 553 /** 554 * <p> 555 * Determine the seinfo value to assign to an apk. The appropriate seinfo value 556 * is determined using the following steps: 557 * </p> 558 * <ul> 559 * <li> All certs used to sign the apk and all certs stored with this policy 560 * instance are tested for set equality. If this fails then null is returned. 561 * </li> 562 * <li> If all certs match then an appropriate inner package stanza is 563 * searched based on package name alone. If matched, the stored seinfo 564 * value for that mapping is returned. 565 * </li> 566 * <li> If all certs matched and no inner package stanza matches then return 567 * the global seinfo value. The returned value can be null in this case. 568 * </li> 569 * </ul> 570 * <p> 571 * In all cases, a return value of null should be interpreted as the apk failing 572 * to match this Policy instance; i.e. failing this policy stanza. 573 * </p> 574 * @param pkg the apk to check given as a AndroidPackage object 575 * @return A string representing the seinfo matched during policy lookup. 576 * A value of null can also be returned if no match occured. 577 */ getMatchedSeInfo(AndroidPackage pkg)578 public String getMatchedSeInfo(AndroidPackage pkg) { 579 // Check for exact signature matches across all certs. 580 Signature[] certs = mCerts.toArray(new Signature[0]); 581 if (pkg.getSigningDetails() != SigningDetails.UNKNOWN 582 && !Signature.areExactMatch(certs, pkg.getSigningDetails().getSignatures())) { 583 584 // certs aren't exact match, but the package may have rotated from the known system cert 585 if (certs.length > 1 || !pkg.getSigningDetails().hasCertificate(certs[0])) { 586 return null; 587 } 588 } 589 590 // Check for inner package name matches given that the 591 // signature checks already passed. 592 String seinfoValue = mPkgMap.get(pkg.getPackageName()); 593 if (seinfoValue != null) { 594 return seinfoValue; 595 } 596 597 // Return the global seinfo value. 598 return mSeinfo; 599 } 600 601 /** 602 * A nested builder class to create {@link Policy} instances. A {@link Policy} 603 * class instance represents one valid policy stanza found in a mac_permissions.xml 604 * file. A valid policy stanza is defined to be a signer stanza which obeys the rules 605 * outlined in system/sepolicy/mac_permissions.xml. The {@link #build} method 606 * ensures a set of invariants are upheld enforcing the correct stanza structure 607 * before returning a valid Policy object. 608 */ 609 public static final class PolicyBuilder { 610 611 private String mSeinfo; 612 private final Set<Signature> mCerts; 613 private final Map<String, String> mPkgMap; 614 PolicyBuilder()615 public PolicyBuilder() { 616 mCerts = new HashSet<Signature>(2); 617 mPkgMap = new HashMap<String, String>(2); 618 } 619 620 /** 621 * Adds a signature to the set of certs used for validation checks. The purpose 622 * being that all contained certs will need to be matched against all certs 623 * contained with an apk. 624 * 625 * @param cert the signature to add given as a String. 626 * @return The reference to this PolicyBuilder. 627 * @throws IllegalArgumentException if the cert value fails validation; 628 * null or is an invalid hex-encoded ASCII string. 629 */ addSignature(String cert)630 public PolicyBuilder addSignature(String cert) { 631 if (cert == null) { 632 String err = "Invalid signature value " + cert; 633 throw new IllegalArgumentException(err); 634 } 635 636 mCerts.add(new Signature(cert)); 637 return this; 638 } 639 640 /** 641 * Set the global seinfo tag for this policy stanza. The global seinfo tag 642 * when attached to a signer tag represents the assignment when there isn't a 643 * further inner package refinement in policy. 644 * 645 * @param seinfo the seinfo value given as a String. 646 * @return The reference to this PolicyBuilder. 647 * @throws IllegalArgumentException if the seinfo value fails validation; 648 * null, zero length or contains non-valid characters [^a-zA-Z_\._0-9]. 649 * @throws IllegalStateException if an seinfo value has already been found 650 */ setGlobalSeinfoOrThrow(String seinfo)651 public PolicyBuilder setGlobalSeinfoOrThrow(String seinfo) { 652 if (!validateValue(seinfo)) { 653 String err = "Invalid seinfo value " + seinfo; 654 throw new IllegalArgumentException(err); 655 } 656 657 if (mSeinfo != null && !mSeinfo.equals(seinfo)) { 658 String err = "Duplicate seinfo tag found"; 659 throw new IllegalStateException(err); 660 } 661 662 mSeinfo = seinfo; 663 return this; 664 } 665 666 /** 667 * Create a package name to seinfo value mapping. Each mapping represents 668 * the seinfo value that will be assigned to the described package name. 669 * These localized mappings allow the global seinfo to be overriden. 670 * 671 * @param pkgName the android package name given to the app 672 * @param seinfo the seinfo value that will be assigned to the passed pkgName 673 * @return The reference to this PolicyBuilder. 674 * @throws IllegalArgumentException if the seinfo value fails validation; 675 * null, zero length or contains non-valid characters [^a-zA-Z_\.0-9]. 676 * Or, if the package name isn't a valid android package name. 677 * @throws IllegalStateException if trying to reset a package mapping with a 678 * different seinfo value. 679 */ addInnerPackageMapOrThrow(String pkgName, String seinfo)680 public PolicyBuilder addInnerPackageMapOrThrow(String pkgName, String seinfo) { 681 if (!validateValue(pkgName)) { 682 String err = "Invalid package name " + pkgName; 683 throw new IllegalArgumentException(err); 684 } 685 if (!validateValue(seinfo)) { 686 String err = "Invalid seinfo value " + seinfo; 687 throw new IllegalArgumentException(err); 688 } 689 690 String pkgValue = mPkgMap.get(pkgName); 691 if (pkgValue != null && !pkgValue.equals(seinfo)) { 692 String err = "Conflicting seinfo value found"; 693 throw new IllegalStateException(err); 694 } 695 696 mPkgMap.put(pkgName, seinfo); 697 return this; 698 } 699 700 /** 701 * General validation routine for the attribute strings of an element. Checks 702 * if the string is non-null, positive length and only contains [a-zA-Z_\.0-9]. 703 * 704 * @param name the string to validate. 705 * @return boolean indicating if the string was valid. 706 */ validateValue(String name)707 private boolean validateValue(String name) { 708 if (name == null) 709 return false; 710 711 // Want to match on [0-9a-zA-Z_.] 712 if (!name.matches("\\A[\\.\\w]+\\z")) { 713 return false; 714 } 715 716 return true; 717 } 718 719 /** 720 * <p> 721 * Create a {@link Policy} instance based on the current configuration. This 722 * method checks for certain policy invariants used to enforce certain guarantees 723 * about the expected structure of a policy stanza. 724 * Those invariants are: 725 * </p> 726 * <ul> 727 * <li> at least one cert must be found </li> 728 * <li> either a global seinfo value is present OR at least one 729 * inner package mapping must be present BUT not both. </li> 730 * </ul> 731 * @return an instance of {@link Policy} with the options set from this builder 732 * @throws IllegalStateException if an invariant is violated. 733 */ build()734 public Policy build() { 735 Policy p = new Policy(this); 736 737 if (p.mCerts.isEmpty()) { 738 String err = "Missing certs with signer tag. Expecting at least one."; 739 throw new IllegalStateException(err); 740 } 741 if (!(p.mSeinfo == null ^ p.mPkgMap.isEmpty())) { 742 String err = "Only seinfo tag XOR package tags are allowed within " + 743 "a signer stanza."; 744 throw new IllegalStateException(err); 745 } 746 747 return p; 748 } 749 } 750 } 751 752 /** 753 * Comparision imposing an ordering on Policy objects. It is understood that Policy 754 * objects can only take one of three forms and ordered according to the following 755 * set of rules most specific to least. 756 * <ul> 757 * <li> signer stanzas with inner package mappings </li> 758 * <li> signer stanzas with global seinfo tags </li> 759 * </ul> 760 * This comparison also checks for duplicate entries on the input selectors. Any 761 * found duplicates will be flagged and can be checked with {@link #foundDuplicate}. 762 */ 763 764 final class PolicyComparator implements Comparator<Policy> { 765 766 private boolean duplicateFound = false; 767 foundDuplicate()768 public boolean foundDuplicate() { 769 return duplicateFound; 770 } 771 772 @Override compare(Policy p1, Policy p2)773 public int compare(Policy p1, Policy p2) { 774 775 // Give precedence to stanzas with inner package mappings 776 if (p1.hasInnerPackages() != p2.hasInnerPackages()) { 777 return p1.hasInnerPackages() ? -1 : 1; 778 } 779 780 // Check for duplicate entries 781 if (p1.getSignatures().equals(p2.getSignatures())) { 782 // Checks if signer w/o inner package names 783 if (p1.hasGlobalSeinfo()) { 784 duplicateFound = true; 785 Slog.e(SELinuxMMAC.TAG, "Duplicate policy entry: " + p1.toString()); 786 } 787 788 // Look for common inner package name mappings 789 final Map<String, String> p1Packages = p1.getInnerPackages(); 790 final Map<String, String> p2Packages = p2.getInnerPackages(); 791 if (!Collections.disjoint(p1Packages.keySet(), p2Packages.keySet())) { 792 duplicateFound = true; 793 Slog.e(SELinuxMMAC.TAG, "Duplicate policy entry: " + p1.toString()); 794 } 795 } 796 797 return 0; 798 } 799 } 800