Prepare setresuid()/setresgid() seccomp filter in AppZygote.
The application zygote can run untrusted user code; since it also
has the capability to change the uid/gid of the process, we need
to ensure that any changes to the uid and/or gid stay within the
range that we have allocated for this application zygote.
For application zygotes, we install the app_zygote seccomp
filter instead of the regular app filter; the only difference
between this filter and the app one is that it allows
setuid/setgid calls.
To further limit this, pass down the allocated UID range to the
Zygote itself, which in turn installs an additional seccomp
filter that restricts setuid/setgid calls to this range.
The actual calls into seccomp are commented out until the seccomp
changes are merged; to avoid catastrophe, this will leave the
regular app filter for the app_zygote, which is more restrictive
and doesn't allow setuid at all.
Bug: 111434506
Test: atest CtsSeccompHostTestCases passes
Change-Id: I112419629f5ee4774ccbf77e2b1cfa5ddcf77e73
diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/android/internal/os/Zygote.java
index d720c68..f5746ca 100644
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -104,6 +104,20 @@
*/
public static final String CHILD_ZYGOTE_ABI_LIST_ARG = "--abi-list=";
+ /**
+ * An extraArg passed when a zygote process is forking a child-zygote, specifying the
+ * start of the UID range the children of the Zygote may setuid()/setgid() to. This
+ * will be enforced with a seccomp filter.
+ */
+ public static final String CHILD_ZYGOTE_UID_RANGE_START = "--uid-range-start=";
+
+ /**
+ * An extraArg passed when a zygote process is forking a child-zygote, specifying the
+ * end of the UID range the children of the Zygote may setuid()/setgid() to. This
+ * will be enforced with a seccomp filter.
+ */
+ public static final String CHILD_ZYGOTE_UID_RANGE_END = "--uid-range-end=";
+
private Zygote() {}
/** Called for some security initialization before any fork. */
@@ -222,6 +236,13 @@
native protected static void nativeAllowFileAcrossFork(String path);
/**
+ * Installs a seccomp filter that limits setresuid()/setresgid() to the passed-in range
+ * @param uidGidMin The smallest allowed uid/gid
+ * @param uidGidMax The largest allowed uid/gid
+ */
+ native protected static void nativeInstallSeccompUidGidFilter(int uidGidMin, int uidGidMax);
+
+ /**
* Zygote unmount storage space on initializing.
* This method is called once.
*/