commit 83d9eda9c2c411e3480c52f01e192bf3c86be8e9
author Stephen Smalley <sds@tycho.nsa.gov> Fri Jan 13 08:34:17 2012 -0500
committer Stephen Smalley <sds@tycho.nsa.gov> Mon Apr 02 13:34:45 2012 -0400
tree 5ec3c369b2754e5b38c4d38ed273589a11c63f64
parent c07fca3831baf4d812dd724f506b4ed23dcc39e0

Pass additional inputs when spawning apps via the Zygote and add SELinux permission checks.

When spawning an app process, the ActivityManagerService has additional information
about the app package that may be useful in setting a SELinux security context on the
process.  Extend the Process.start() interface to allow passing such information
to the Zygote spawner.  We originally considered using the existing zygoteArgs
argument, but found that those arguments are appended after the class name and
left uninterpreted by ZygoteConnection, merely passed along to the class or wrapper.
Thus we introduce a new seInfo argument for this purpose.

Modify the ZygoteConnection to interpret the new option and convey it to
forkAndSpecialize, as well as passing the nice name as a further input.
Also modify the ZygoteConnection to apply SELinux permission checks on
privileged operations.

Change-Id: I66045ffd33ca9898b1d026882bcc1c5baf3adc17

core/java/android/os/Process.java

diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
index e1bc275..50567b2 100644
--- a/core/java/android/os/Process.java
+++ b/core/java/android/os/Process.java
@@ -274,6 +274,7 @@
      * @param gids Additional group-ids associated with the process.
      * @param debugFlags Additional flags.
      * @param targetSdkVersion The target SDK version for the app.
+     * @param seInfo null-ok SE Android information for the new process.
      * @param zygoteArgs Additional arguments to supply to the zygote process.
      * 
      * @return An object that describes the result of the attempt to start the process.
@@ -285,10 +286,11 @@
                                   final String niceName,
                                   int uid, int gid, int[] gids,
                                   int debugFlags, int targetSdkVersion,
+                                  String seInfo,
                                   String[] zygoteArgs) {
         try {
             return startViaZygote(processClass, niceName, uid, gid, gids,
-                    debugFlags, targetSdkVersion, zygoteArgs);
+                    debugFlags, targetSdkVersion, seInfo, zygoteArgs);
         } catch (ZygoteStartFailedEx ex) {
             Log.e(LOG_TAG,
                     "Starting VM process through Zygote failed");
@@ -451,6 +453,7 @@
      * new process should setgroup() to.
      * @param debugFlags Additional flags.
      * @param targetSdkVersion The target SDK version for the app.
+     * @param seInfo null-ok SE Android information for the new process.
      * @param extraArgs Additional arguments to supply to the zygote process.
      * @return An object that describes the result of the attempt to start the process.
      * @throws ZygoteStartFailedEx if process start failed for any reason
@@ -460,6 +463,7 @@
                                   final int uid, final int gid,
                                   final int[] gids,
                                   int debugFlags, int targetSdkVersion,
+                                  String seInfo,
                                   String[] extraArgs)
                                   throws ZygoteStartFailedEx {
         synchronized(Process.class) {
@@ -510,6 +514,10 @@
                 argsForZygote.add("--nice-name=" + niceName);
             }
 
+            if (seInfo != null) {
+                argsForZygote.add("--seinfo=" + seInfo);
+            }
+
             argsForZygote.add(processClass);
 
             if (extraArgs != null) {