Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / frameworks / base / 86f08a5190c8a36497ff3b9848ce3e6d0ba2e951^! / . / core / java / android / os / ZygoteProcess.java
commit86f08a5190c8a36497ff3b9848ce3e6d0ba2e951[log] [tgz]
authorMartijn Coenen <maco@google.com>Thu Jan 03 16:23:01 2019 +0100
committerMartijn Coenen <maco@google.com>Fri Jan 18 16:37:09 2019 +0100
tree25eb1abc277faf7302e48f718edbd684213562a5
parente9ffc741456af7823e958f9777ae5d8530e739b7 [diff] [blame]
Prepare setresuid()/setresgid() seccomp filter in AppZygote.

The application zygote can run untrusted user code; since it also
has the capability to change the uid/gid of the process, we need
to ensure that any changes to the uid and/or gid stay within the
range that we have allocated for this application zygote.

For application zygotes, we install the app_zygote seccomp
filter instead of the regular app filter; the only difference
between this filter and the app one is that it allows
setuid/setgid calls.

To further limit this, pass down the allocated UID range to the
Zygote itself, which in turn installs an additional seccomp
filter that restricts setuid/setgid calls to this range.

The actual calls into seccomp are commented out until the seccomp
changes are merged; to avoid catastrophe, this will leave the
regular app filter for the app_zygote, which is more restrictive
and doesn't allow setuid at all.

Bug: 111434506
Test: atest CtsSeccompHostTestCases passes
Change-Id: I112419629f5ee4774ccbf77e2b1cfa5ddcf77e73

diff --git a/core/java/android/os/ZygoteProcess.java b/core/java/android/os/ZygoteProcess.java
index 251c5ee..99a85ea 100644
--- a/core/java/android/os/ZygoteProcess.java
+++ b/core/java/android/os/ZygoteProcess.java

@@ -809,6 +809,8 @@
      *                        may be different from <code>abi</code> in case the children
      *                        spawned from this Zygote only communicate using ABI-safe methods.
      * @param instructionSet null-ok the instruction set to use.
+     * @param uidRangeStart The first UID in the range the child zygote may setuid()/setgid() to
+     * @param uidRangeEnd The last UID in the range the child zygote may setuid()/setgid() to
      */
     public ChildZygoteProcess startChildZygote(final String processClass,
                                                final String niceName,
@@ -817,13 +819,17 @@
                                                String seInfo,
                                                String abi,
                                                String acceptedAbiList,
-                                               String instructionSet) {
+                                               String instructionSet,
+                                               int uidRangeStart,
+                                               int uidRangeEnd) {
         // Create an unguessable address in the global abstract namespace.
         final LocalSocketAddress serverAddress = new LocalSocketAddress(
                 processClass + "/" + UUID.randomUUID().toString());
 
         final String[] extraArgs = {Zygote.CHILD_ZYGOTE_SOCKET_NAME_ARG + serverAddress.getName(),
-                                    Zygote.CHILD_ZYGOTE_ABI_LIST_ARG + acceptedAbiList};
+                                    Zygote.CHILD_ZYGOTE_ABI_LIST_ARG + acceptedAbiList,
+                                    Zygote.CHILD_ZYGOTE_UID_RANGE_START + uidRangeStart,
+                                    Zygote.CHILD_ZYGOTE_UID_RANGE_END + uidRangeEnd};
 
         Process.ProcessStartResult result;
         try {