| /* |
| * Copyright (C) 2012 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| package com.android.server.pm; |
| |
| import android.content.pm.PackageParser; |
| import android.content.pm.Signature; |
| import android.os.Environment; |
| import android.util.Slog; |
| import android.util.Xml; |
| |
| import libcore.io.IoUtils; |
| |
| import java.io.File; |
| import java.io.FileNotFoundException; |
| import java.io.FileOutputStream; |
| import java.io.FileReader; |
| import java.io.IOException; |
| import java.security.MessageDigest; |
| import java.security.NoSuchAlgorithmException; |
| |
| import java.util.ArrayList; |
| import java.util.Collections; |
| import java.util.Comparator; |
| import java.util.HashMap; |
| import java.util.HashSet; |
| import java.util.List; |
| import java.util.Map; |
| import java.util.Set; |
| |
| import org.xmlpull.v1.XmlPullParser; |
| import org.xmlpull.v1.XmlPullParserException; |
| |
| /** |
| * Centralized access to SELinux MMAC (middleware MAC) implementation. This |
| * class is responsible for loading the appropriate mac_permissions.xml file |
| * as well as providing an interface for assigning seinfo values to apks. |
| * |
| * {@hide} |
| */ |
| public final class SELinuxMMAC { |
| |
| static final String TAG = "SELinuxMMAC"; |
| |
| private static final boolean DEBUG_POLICY = false; |
| private static final boolean DEBUG_POLICY_INSTALL = DEBUG_POLICY || false; |
| private static final boolean DEBUG_POLICY_ORDER = DEBUG_POLICY || false; |
| |
| // All policy stanzas read from mac_permissions.xml. This is also the lock |
| // to synchronize access during policy load and access attempts. |
| private static List<Policy> sPolicies = new ArrayList<>(); |
| |
| // Data policy override version file. |
| private static final String DATA_VERSION_FILE = |
| Environment.getDataDirectory() + "/security/current/selinux_version"; |
| |
| // Base policy version file. |
| private static final String BASE_VERSION_FILE = "/selinux_version"; |
| |
| // Whether override security policies should be loaded. |
| private static final boolean USE_OVERRIDE_POLICY = useOverridePolicy(); |
| |
| // Data override mac_permissions.xml policy file. |
| private static final String DATA_MAC_PERMISSIONS = |
| Environment.getDataDirectory() + "/security/current/mac_permissions.xml"; |
| |
| // Base mac_permissions.xml policy file. |
| private static final String BASE_MAC_PERMISSIONS = |
| Environment.getRootDirectory() + "/etc/security/mac_permissions.xml"; |
| |
| // Determine which mac_permissions.xml file to use. |
| private static final String MAC_PERMISSIONS = USE_OVERRIDE_POLICY ? |
| DATA_MAC_PERMISSIONS : BASE_MAC_PERMISSIONS; |
| |
| // Data override seapp_contexts policy file. |
| private static final String DATA_SEAPP_CONTEXTS = |
| Environment.getDataDirectory() + "/security/current/seapp_contexts"; |
| |
| // Base seapp_contexts policy file. |
| private static final String BASE_SEAPP_CONTEXTS = "/seapp_contexts"; |
| |
| // Determine which seapp_contexts file to use. |
| private static final String SEAPP_CONTEXTS = USE_OVERRIDE_POLICY ? |
| DATA_SEAPP_CONTEXTS : BASE_SEAPP_CONTEXTS; |
| |
| // Stores the hash of the last used seapp_contexts file. |
| private static final String SEAPP_HASH_FILE = |
| Environment.getDataDirectory().toString() + "/system/seapp_hash"; |
| |
| /** |
| * Load the mac_permissions.xml file containing all seinfo assignments used to |
| * label apps. The loaded mac_permissions.xml file is determined by the |
| * MAC_PERMISSIONS class variable which is set at class load time which itself |
| * is based on the USE_OVERRIDE_POLICY class variable. For further guidance on |
| * the proper structure of a mac_permissions.xml file consult the source code |
| * located at external/sepolicy/mac_permissions.xml. |
| * |
| * @return boolean indicating if policy was correctly loaded. A value of false |
| * typically indicates a structural problem with the xml or incorrectly |
| * constructed policy stanzas. A value of true means that all stanzas |
| * were loaded successfully; no partial loading is possible. |
| */ |
| public static boolean readInstallPolicy() { |
| // Temp structure to hold the rules while we parse the xml file |
| List<Policy> policies = new ArrayList<>(); |
| |
| FileReader policyFile = null; |
| XmlPullParser parser = Xml.newPullParser(); |
| try { |
| policyFile = new FileReader(MAC_PERMISSIONS); |
| Slog.d(TAG, "Using policy file " + MAC_PERMISSIONS); |
| |
| parser.setInput(policyFile); |
| parser.nextTag(); |
| parser.require(XmlPullParser.START_TAG, null, "policy"); |
| |
| while (parser.next() != XmlPullParser.END_TAG) { |
| if (parser.getEventType() != XmlPullParser.START_TAG) { |
| continue; |
| } |
| |
| switch (parser.getName()) { |
| case "signer": |
| policies.add(readSignerOrThrow(parser)); |
| break; |
| case "default": |
| policies.add(readDefaultOrThrow(parser)); |
| break; |
| default: |
| skip(parser); |
| } |
| } |
| } catch (IllegalStateException | IllegalArgumentException | |
| XmlPullParserException ex) { |
| StringBuilder sb = new StringBuilder("Exception @"); |
| sb.append(parser.getPositionDescription()); |
| sb.append(" while parsing "); |
| sb.append(MAC_PERMISSIONS); |
| sb.append(":"); |
| sb.append(ex); |
| Slog.w(TAG, sb.toString()); |
| return false; |
| } catch (IOException ioe) { |
| Slog.w(TAG, "Exception parsing " + MAC_PERMISSIONS, ioe); |
| return false; |
| } finally { |
| IoUtils.closeQuietly(policyFile); |
| } |
| |
| // Now sort the policy stanzas |
| PolicyComparator policySort = new PolicyComparator(); |
| Collections.sort(policies, policySort); |
| if (policySort.foundDuplicate()) { |
| Slog.w(TAG, "ERROR! Duplicate entries found parsing " + MAC_PERMISSIONS); |
| return false; |
| } |
| |
| synchronized (sPolicies) { |
| sPolicies = policies; |
| |
| if (DEBUG_POLICY_ORDER) { |
| for (Policy policy : sPolicies) { |
| Slog.d(TAG, "Policy: " + policy.toString()); |
| } |
| } |
| } |
| |
| return true; |
| } |
| |
| /** |
| * Loop over a signer tag looking for seinfo, package and cert tags. A {@link Policy} |
| * instance will be created and returned in the process. During the pass all other |
| * tag elements will be skipped. |
| * |
| * @param parser an XmlPullParser object representing a signer element. |
| * @return the constructed {@link Policy} instance |
| * @throws IOException |
| * @throws XmlPullParserException |
| * @throws IllegalArgumentException if any of the validation checks fail while |
| * parsing tag values. |
| * @throws IllegalStateException if any of the invariants fail when constructing |
| * the {@link Policy} instance. |
| */ |
| private static Policy readSignerOrThrow(XmlPullParser parser) throws IOException, |
| XmlPullParserException { |
| |
| parser.require(XmlPullParser.START_TAG, null, "signer"); |
| Policy.PolicyBuilder pb = new Policy.PolicyBuilder(); |
| |
| // Check for a cert attached to the signer tag. We allow a signature |
| // to appear as an attribute as well as those attached to cert tags. |
| String cert = parser.getAttributeValue(null, "signature"); |
| if (cert != null) { |
| pb.addSignature(cert); |
| } |
| |
| while (parser.next() != XmlPullParser.END_TAG) { |
| if (parser.getEventType() != XmlPullParser.START_TAG) { |
| continue; |
| } |
| |
| String tagName = parser.getName(); |
| if ("seinfo".equals(tagName)) { |
| String seinfo = parser.getAttributeValue(null, "value"); |
| pb.setGlobalSeinfoOrThrow(seinfo); |
| readSeinfo(parser); |
| } else if ("package".equals(tagName)) { |
| readPackageOrThrow(parser, pb); |
| } else if ("cert".equals(tagName)) { |
| String sig = parser.getAttributeValue(null, "signature"); |
| pb.addSignature(sig); |
| readCert(parser); |
| } else { |
| skip(parser); |
| } |
| } |
| |
| return pb.build(); |
| } |
| |
| /** |
| * Loop over a default element looking for seinfo child tags. A {@link Policy} |
| * instance will be created and returned in the process. All other tags encountered |
| * will be skipped. |
| * |
| * @param parser an XmlPullParser object representing a default element. |
| * @return the constructed {@link Policy} instance |
| * @throws IOException |
| * @throws XmlPullParserException |
| * @throws IllegalArgumentException if any of the validation checks fail while |
| * parsing tag values. |
| * @throws IllegalStateException if any of the invariants fail when constructing |
| * the {@link Policy} instance. |
| */ |
| private static Policy readDefaultOrThrow(XmlPullParser parser) throws IOException, |
| XmlPullParserException { |
| |
| parser.require(XmlPullParser.START_TAG, null, "default"); |
| Policy.PolicyBuilder pb = new Policy.PolicyBuilder(); |
| pb.setAsDefaultPolicy(); |
| |
| while (parser.next() != XmlPullParser.END_TAG) { |
| if (parser.getEventType() != XmlPullParser.START_TAG) { |
| continue; |
| } |
| |
| String tagName = parser.getName(); |
| if ("seinfo".equals(tagName)) { |
| String seinfo = parser.getAttributeValue(null, "value"); |
| pb.setGlobalSeinfoOrThrow(seinfo); |
| readSeinfo(parser); |
| } else { |
| skip(parser); |
| } |
| } |
| |
| return pb.build(); |
| } |
| |
| /** |
| * Loop over a package element looking for seinfo child tags. If found return the |
| * value attribute of the seinfo tag, otherwise return null. All other tags encountered |
| * will be skipped. |
| * |
| * @param parser an XmlPullParser object representing a package element. |
| * @param pb a Policy.PolicyBuilder instance to build |
| * @throws IOException |
| * @throws XmlPullParserException |
| * @throws IllegalArgumentException if any of the validation checks fail while |
| * parsing tag values. |
| * @throws IllegalStateException if there is a duplicate seinfo tag for the current |
| * package tag. |
| */ |
| private static void readPackageOrThrow(XmlPullParser parser, Policy.PolicyBuilder pb) throws |
| IOException, XmlPullParserException { |
| parser.require(XmlPullParser.START_TAG, null, "package"); |
| String pkgName = parser.getAttributeValue(null, "name"); |
| |
| while (parser.next() != XmlPullParser.END_TAG) { |
| if (parser.getEventType() != XmlPullParser.START_TAG) { |
| continue; |
| } |
| |
| String tagName = parser.getName(); |
| if ("seinfo".equals(tagName)) { |
| String seinfo = parser.getAttributeValue(null, "value"); |
| pb.addInnerPackageMapOrThrow(pkgName, seinfo); |
| readSeinfo(parser); |
| } else { |
| skip(parser); |
| } |
| } |
| } |
| |
| private static void readCert(XmlPullParser parser) throws IOException, |
| XmlPullParserException { |
| parser.require(XmlPullParser.START_TAG, null, "cert"); |
| parser.nextTag(); |
| } |
| |
| private static void readSeinfo(XmlPullParser parser) throws IOException, |
| XmlPullParserException { |
| parser.require(XmlPullParser.START_TAG, null, "seinfo"); |
| parser.nextTag(); |
| } |
| |
| private static void skip(XmlPullParser p) throws IOException, XmlPullParserException { |
| if (p.getEventType() != XmlPullParser.START_TAG) { |
| throw new IllegalStateException(); |
| } |
| int depth = 1; |
| while (depth != 0) { |
| switch (p.next()) { |
| case XmlPullParser.END_TAG: |
| depth--; |
| break; |
| case XmlPullParser.START_TAG: |
| depth++; |
| break; |
| } |
| } |
| } |
| |
| /** |
| * Applies a security label to a package based on an seinfo tag taken from a matched |
| * policy. All signature based policy stanzas are consulted first and, if no match |
| * is found, the default policy stanza is then consulted. The security label is |
| * attached to the ApplicationInfo instance of the package in the event that a matching |
| * policy was found. |
| * |
| * @param pkg object representing the package to be labeled. |
| * @return boolean which determines whether a non null seinfo label was assigned |
| * to the package. A null value simply represents that no policy matched. |
| */ |
| public static boolean assignSeinfoValue(PackageParser.Package pkg) { |
| synchronized (sPolicies) { |
| for (Policy policy : sPolicies) { |
| String seinfo = policy.getMatchedSeinfo(pkg); |
| if (seinfo != null) { |
| pkg.applicationInfo.seinfo = seinfo; |
| if (DEBUG_POLICY_INSTALL) { |
| Slog.i(TAG, "package (" + pkg.packageName + ") labeled with " + |
| "seinfo=" + seinfo); |
| } |
| return true; |
| } |
| } |
| } |
| |
| if (DEBUG_POLICY_INSTALL) { |
| Slog.i(TAG, "package (" + pkg.packageName + ") doesn't match any policy; " + |
| "seinfo will remain null"); |
| } |
| return false; |
| } |
| |
| /** |
| * Determines if a recursive restorecon on /data/data and /data/user is needed. |
| * It does this by comparing the SHA-1 of the seapp_contexts file against the |
| * stored hash at /data/system/seapp_hash. |
| * |
| * @return Returns true if the restorecon should occur or false otherwise. |
| */ |
| public static boolean shouldRestorecon() { |
| // Any error with the seapp_contexts file should be fatal |
| byte[] currentHash = null; |
| try { |
| currentHash = returnHash(SEAPP_CONTEXTS); |
| } catch (IOException ioe) { |
| Slog.e(TAG, "Error with hashing seapp_contexts.", ioe); |
| return false; |
| } |
| |
| // Push past any error with the stored hash file |
| byte[] storedHash = null; |
| try { |
| storedHash = IoUtils.readFileAsByteArray(SEAPP_HASH_FILE); |
| } catch (IOException ioe) { |
| Slog.w(TAG, "Error opening " + SEAPP_HASH_FILE + ". Assuming first boot."); |
| } |
| |
| return (storedHash == null || !MessageDigest.isEqual(storedHash, currentHash)); |
| } |
| |
| /** |
| * Stores the SHA-1 of the seapp_contexts to /data/system/seapp_hash. |
| */ |
| public static void setRestoreconDone() { |
| try { |
| final byte[] currentHash = returnHash(SEAPP_CONTEXTS); |
| dumpHash(new File(SEAPP_HASH_FILE), currentHash); |
| } catch (IOException ioe) { |
| Slog.e(TAG, "Error with saving hash to " + SEAPP_HASH_FILE, ioe); |
| } |
| } |
| |
| /** |
| * Dump the contents of a byte array to a specified file. |
| * |
| * @param file The file that receives the byte array content. |
| * @param content A byte array that will be written to the specified file. |
| * @throws IOException if any failed I/O operation occured. |
| * Included is the failure to atomically rename the tmp |
| * file used in the process. |
| */ |
| private static void dumpHash(File file, byte[] content) throws IOException { |
| FileOutputStream fos = null; |
| File tmp = null; |
| try { |
| tmp = File.createTempFile("seapp_hash", ".journal", file.getParentFile()); |
| tmp.setReadable(true); |
| fos = new FileOutputStream(tmp); |
| fos.write(content); |
| fos.getFD().sync(); |
| if (!tmp.renameTo(file)) { |
| throw new IOException("Failure renaming " + file.getCanonicalPath()); |
| } |
| } finally { |
| if (tmp != null) { |
| tmp.delete(); |
| } |
| IoUtils.closeQuietly(fos); |
| } |
| } |
| |
| /** |
| * Return the SHA-1 of a file. |
| * |
| * @param file The path to the file given as a string. |
| * @return Returns the SHA-1 of the file as a byte array. |
| * @throws IOException if any failed I/O operations occured. |
| */ |
| private static byte[] returnHash(String file) throws IOException { |
| try { |
| final byte[] contents = IoUtils.readFileAsByteArray(file); |
| return MessageDigest.getInstance("SHA-1").digest(contents); |
| } catch (NoSuchAlgorithmException nsae) { |
| throw new RuntimeException(nsae); // impossible |
| } |
| } |
| |
| private static boolean useOverridePolicy() { |
| try { |
| final String overrideVersion = IoUtils.readFileAsString(DATA_VERSION_FILE); |
| final String baseVersion = IoUtils.readFileAsString(BASE_VERSION_FILE); |
| if (overrideVersion.equals(baseVersion)) { |
| return true; |
| } |
| Slog.e(TAG, "Override policy version '" + overrideVersion + "' doesn't match " + |
| "base version '" + baseVersion + "'. Skipping override policy files."); |
| } catch (FileNotFoundException fnfe) { |
| // Override version file doesn't have to exist so silently ignore. |
| } catch (IOException ioe) { |
| Slog.w(TAG, "Skipping override policy files.", ioe); |
| } |
| return false; |
| } |
| } |
| |
| /** |
| * Holds valid policy representations of individual stanzas from a mac_permissions.xml |
| * file. Each instance can further be used to assign seinfo values to apks using the |
| * {@link Policy#getMatchedSeinfo} method. To create an instance of this use the |
| * {@link PolicyBuilder} pattern class, where each instance is validated against a set |
| * of invariants before being built and returned. Each instance can be guaranteed to |
| * hold one valid policy stanza as outlined in the external/sepolicy/mac_permissions.xml |
| * file. |
| * <p> |
| * The following is an example of how to use {@link Policy.PolicyBuilder} to create a |
| * signer based Policy instance with only inner package name refinements. |
| * </p> |
| * <pre> |
| * {@code |
| * Policy policy = new Policy.PolicyBuilder() |
| * .addSignature("308204a8...") |
| * .addSignature("483538c8...") |
| * .addInnerPackageMapOrThrow("com.foo.", "bar") |
| * .addInnerPackageMapOrThrow("com.foo.other", "bar") |
| * .build(); |
| * } |
| * </pre> |
| * <p> |
| * The following is an example of how to use {@link Policy.PolicyBuilder} to create a |
| * signer based Policy instance with only a global seinfo tag. |
| * </p> |
| * <pre> |
| * {@code |
| * Policy policy = new Policy.PolicyBuilder() |
| * .addSignature("308204a8...") |
| * .addSignature("483538c8...") |
| * .setGlobalSeinfoOrThrow("paltform") |
| * .build(); |
| * } |
| * </pre> |
| * <p> |
| * The following is an example of how to use {@link Policy.PolicyBuilder} to create a |
| * default based Policy instance. |
| * </p> |
| * <pre> |
| * {@code |
| * Policy policy = new Policy.PolicyBuilder() |
| * .setAsDefaultPolicy() |
| * .setGlobalSeinfoOrThrow("default") |
| * .build(); |
| * } |
| * </pre> |
| */ |
| final class Policy { |
| |
| private final String mSeinfo; |
| private final boolean mDefaultStanza; |
| private final Set<Signature> mCerts; |
| private final Map<String, String> mPkgMap; |
| |
| // Use the PolicyBuilder pattern to instantiate |
| private Policy(PolicyBuilder builder) { |
| mSeinfo = builder.mSeinfo; |
| mDefaultStanza = builder.mDefaultStanza; |
| mCerts = Collections.unmodifiableSet(builder.mCerts); |
| mPkgMap = Collections.unmodifiableMap(builder.mPkgMap); |
| } |
| |
| /** |
| * Return all the certs stored with this policy stanza. |
| * |
| * @return A set of Signature objects representing all the certs stored |
| * with the policy. |
| */ |
| public Set<Signature> getSignatures() { |
| return mCerts; |
| } |
| |
| /** |
| * Return whether this policy object represents a default stanza. |
| * |
| * @return A boolean indicating if this object represents a default policy stanza. |
| */ |
| public boolean isDefaultStanza() { |
| return mDefaultStanza; |
| } |
| |
| /** |
| * Return whether this policy object contains package name mapping refinements. |
| * |
| * @return A boolean indicating if this object has inner package name mappings. |
| */ |
| public boolean hasInnerPackages() { |
| return !mPkgMap.isEmpty(); |
| } |
| |
| /** |
| * Return the mapping of all package name refinements. |
| * |
| * @return A Map object whose keys are the package names and whose values are |
| * the seinfo assignments. |
| */ |
| public Map<String, String> getInnerPackages() { |
| return mPkgMap; |
| } |
| |
| /** |
| * Return whether the policy object has a global seinfo tag attached. |
| * |
| * @return A boolean indicating if this stanza has a global seinfo tag. |
| */ |
| public boolean hasGlobalSeinfo() { |
| return mSeinfo != null; |
| } |
| |
| @Override |
| public String toString() { |
| StringBuilder sb = new StringBuilder(); |
| if (mDefaultStanza) { |
| sb.append("defaultStanza=true "); |
| } |
| |
| for (Signature cert : mCerts) { |
| sb.append("cert=" + cert.toCharsString().substring(0, 11) + "... "); |
| } |
| |
| if (mSeinfo != null) { |
| sb.append("seinfo=" + mSeinfo); |
| } |
| |
| for (String name : mPkgMap.keySet()) { |
| sb.append(" " + name + "=" + mPkgMap.get(name)); |
| } |
| |
| return sb.toString(); |
| } |
| |
| /** |
| * <p> |
| * Determine the seinfo value to assign to an apk. The appropriate seinfo value |
| * is determined using the following steps: |
| * </p> |
| * <ul> |
| * <li> If this Policy instance is defined as a default stanza: |
| * <ul><li>Return the global seinfo value</li></ul> |
| * </li> |
| * <li> If this Policy instance is defined as a signer stanza: |
| * <ul> |
| * <li> All certs used to sign the apk and all certs stored with this policy |
| * instance are tested for set equality. If this fails then null is returned. |
| * </li> |
| * <li> If all certs match then an appropriate inner package stanza is |
| * searched based on package name alone. If matched, the stored seinfo |
| * value for that mapping is returned. |
| * </li> |
| * <li> If all certs matched and no inner package stanza matches then return |
| * the global seinfo value. The returned value can be null in this case. |
| * </li> |
| * </ul> |
| * </li> |
| * </ul> |
| * <p> |
| * In all cases, a return value of null should be interpreted as the apk failing |
| * to match this Policy instance; i.e. failing this policy stanza. |
| * </p> |
| * @param pkg the apk to check given as a PackageParser.Package object |
| * @return A string representing the seinfo matched during policy lookup. |
| * A value of null can also be returned if no match occured. |
| */ |
| public String getMatchedSeinfo(PackageParser.Package pkg) { |
| if (!mDefaultStanza) { |
| // Check for exact signature matches across all certs. |
| Signature[] certs = mCerts.toArray(new Signature[0]); |
| if (!Signature.areExactMatch(certs, pkg.mSignatures)) { |
| return null; |
| } |
| |
| // Check for inner package name matches given that the |
| // signature checks already passed. |
| String seinfoValue = mPkgMap.get(pkg.packageName); |
| if (seinfoValue != null) { |
| return seinfoValue; |
| } |
| } |
| |
| // Return the global seinfo value (even if it's null). |
| return mSeinfo; |
| } |
| |
| /** |
| * A nested builder class to create {@link Policy} instances. A {@link Policy} |
| * class instance represents one valid policy stanza found in a mac_permissions.xml |
| * file. A valid policy stanza is defined to be either a signer or default stanza |
| * which obeys the rules outlined in external/sepolicy/mac_permissions.xml. The |
| * {@link #build} method ensures a set of invariants are upheld enforcing the correct |
| * stanza structure before returning a valid Policy object. |
| */ |
| public static final class PolicyBuilder { |
| |
| private String mSeinfo; |
| private boolean mDefaultStanza; |
| private final Set<Signature> mCerts; |
| private final Map<String, String> mPkgMap; |
| |
| public PolicyBuilder() { |
| mCerts = new HashSet<Signature>(2); |
| mPkgMap = new HashMap<String, String>(2); |
| } |
| |
| /** |
| * Sets this stanza as a default stanza. All policy stanzas are assumed to |
| * be signer stanzas unless this method is explicitly called. Default stanzas |
| * are treated differently with respect to allowable child tags, ordering and |
| * when and how policy decisions are enforced. |
| * |
| * @return The reference to this PolicyBuilder. |
| */ |
| public PolicyBuilder setAsDefaultPolicy() { |
| mDefaultStanza = true; |
| return this; |
| } |
| |
| /** |
| * Adds a signature to the set of certs used for validation checks. The purpose |
| * being that all contained certs will need to be matched against all certs |
| * contained with an apk. |
| * |
| * @param cert the signature to add given as a String. |
| * @return The reference to this PolicyBuilder. |
| * @throws IllegalArgumentException if the cert value fails validation; |
| * null or is an invalid hex-encoded ASCII string. |
| */ |
| public PolicyBuilder addSignature(String cert) { |
| if (cert == null) { |
| String err = "Invalid signature value " + cert; |
| throw new IllegalArgumentException(err); |
| } |
| |
| mCerts.add(new Signature(cert)); |
| return this; |
| } |
| |
| /** |
| * Set the global seinfo tag for this policy stanza. The global seinfo tag |
| * represents the seinfo element that is used in one of two ways depending on |
| * its context. When attached to a signer tag the global seinfo represents an |
| * assignment when there isn't a further inner package refinement in policy. |
| * When used with a default tag, it represents the only allowable assignment |
| * value. |
| * |
| * @param seinfo the seinfo value given as a String. |
| * @return The reference to this PolicyBuilder. |
| * @throws IllegalArgumentException if the seinfo value fails validation; |
| * null, zero length or contains non-valid characters [^a-zA-Z_\._0-9]. |
| * @throws IllegalStateException if an seinfo value has already been found |
| */ |
| public PolicyBuilder setGlobalSeinfoOrThrow(String seinfo) { |
| if (!validateValue(seinfo)) { |
| String err = "Invalid seinfo value " + seinfo; |
| throw new IllegalArgumentException(err); |
| } |
| |
| if (mSeinfo != null && !mSeinfo.equals(seinfo)) { |
| String err = "Duplicate seinfo tag found"; |
| throw new IllegalStateException(err); |
| } |
| |
| mSeinfo = seinfo; |
| return this; |
| } |
| |
| /** |
| * Create a package name to seinfo value mapping. Each mapping represents |
| * the seinfo value that will be assigned to the described package name. |
| * These localized mappings allow the global seinfo to be overriden. This |
| * mapping provides no value when used in conjunction with a default stanza; |
| * enforced through the {@link #build} method. |
| * |
| * @param pkgName the android package name given to the app |
| * @param seinfo the seinfo value that will be assigned to the passed pkgName |
| * @return The reference to this PolicyBuilder. |
| * @throws IllegalArgumentException if the seinfo value fails validation; |
| * null, zero length or contains non-valid characters [^a-zA-Z_\.0-9]. |
| * Or, if the package name isn't a valid android package name. |
| * @throws IllegalStateException if trying to reset a package mapping with a |
| * different seinfo value. |
| */ |
| public PolicyBuilder addInnerPackageMapOrThrow(String pkgName, String seinfo) { |
| if (!validateValue(pkgName)) { |
| String err = "Invalid package name " + pkgName; |
| throw new IllegalArgumentException(err); |
| } |
| if (!validateValue(seinfo)) { |
| String err = "Invalid seinfo value " + seinfo; |
| throw new IllegalArgumentException(err); |
| } |
| |
| String pkgValue = mPkgMap.get(pkgName); |
| if (pkgValue != null && !pkgValue.equals(seinfo)) { |
| String err = "Conflicting seinfo value found"; |
| throw new IllegalStateException(err); |
| } |
| |
| mPkgMap.put(pkgName, seinfo); |
| return this; |
| } |
| |
| /** |
| * General validation routine for the attribute strings of an element. Checks |
| * if the string is non-null, positive length and only contains [a-zA-Z_\.0-9]. |
| * |
| * @param name the string to validate. |
| * @return boolean indicating if the string was valid. |
| */ |
| private boolean validateValue(String name) { |
| if (name == null) |
| return false; |
| |
| // Want to match on [0-9a-zA-Z_.] |
| if (!name.matches("\\A[\\.\\w]+\\z")) { |
| return false; |
| } |
| |
| return true; |
| } |
| |
| /** |
| * <p> |
| * Create a {@link Policy} instance based on the current configuration. This |
| * method checks for certain policy invariants used to enforce certain guarantees |
| * about the expected structure of a policy stanza. |
| * Those invariants are: |
| * </p> |
| * <ul> |
| * <li> If a default stanza |
| * <ul> |
| * <li> an attached global seinfo tag must be present </li> |
| * <li> no signatures and no package names can be present </li> |
| * </ul> |
| * </li> |
| * <li> If a signer stanza |
| * <ul> |
| * <li> at least one cert must be found </li> |
| * <li> either a global seinfo value is present OR at least one |
| * inner package mapping must be present BUT not both. </li> |
| * </ul> |
| * </li> |
| * </ul> |
| * |
| * @return an instance of {@link Policy} with the options set from this builder |
| * @throws IllegalStateException if an invariant is violated. |
| */ |
| public Policy build() { |
| Policy p = new Policy(this); |
| |
| if (p.mDefaultStanza) { |
| if (p.mSeinfo == null) { |
| String err = "Missing global seinfo tag with default stanza."; |
| throw new IllegalStateException(err); |
| } |
| if (p.mCerts.size() != 0) { |
| String err = "Certs not allowed with default stanza."; |
| throw new IllegalStateException(err); |
| } |
| if (!p.mPkgMap.isEmpty()) { |
| String err = "Inner package mappings not allowed with default stanza."; |
| throw new IllegalStateException(err); |
| } |
| } else { |
| if (p.mCerts.size() == 0) { |
| String err = "Missing certs with signer tag. Expecting at least one."; |
| throw new IllegalStateException(err); |
| } |
| if (!(p.mSeinfo == null ^ p.mPkgMap.isEmpty())) { |
| String err = "Only seinfo tag XOR package tags are allowed within " + |
| "a signer stanza."; |
| throw new IllegalStateException(err); |
| } |
| } |
| |
| return p; |
| } |
| } |
| } |
| |
| /** |
| * Comparision imposing an ordering on Policy objects. It is understood that Policy |
| * objects can only take one of three forms and ordered according to the following |
| * set of rules most specific to least. |
| * <ul> |
| * <li> signer stanzas with inner package mappings </li> |
| * <li> signer stanzas with global seinfo tags </li> |
| * <li> default stanza </li> |
| * </ul> |
| * This comparison also checks for duplicate entries on the input selectors. Any |
| * found duplicates will be flagged and can be checked with {@link #foundDuplicate}. |
| */ |
| |
| final class PolicyComparator implements Comparator<Policy> { |
| |
| private boolean duplicateFound = false; |
| |
| public boolean foundDuplicate() { |
| return duplicateFound; |
| } |
| |
| @Override |
| public int compare(Policy p1, Policy p2) { |
| |
| // Give precedence to signature stanzas over default stanzas |
| if (p1.isDefaultStanza() != p2.isDefaultStanza()) { |
| return p1.isDefaultStanza() ? 1 : -1; |
| } |
| |
| // Give precedence to stanzas with inner package mappings |
| if (p1.hasInnerPackages() != p2.hasInnerPackages()) { |
| return p1.hasInnerPackages() ? -1 : 1; |
| } |
| |
| // Check for duplicate entries |
| if (p1.getSignatures().equals(p2.getSignatures())) { |
| // Checks if default stanza or a signer w/o inner package names |
| if (p1.hasGlobalSeinfo()) { |
| duplicateFound = true; |
| Slog.e(SELinuxMMAC.TAG, "Duplicate policy entry: " + p1.toString()); |
| } |
| |
| // Look for common inner package name mappings |
| final Map<String, String> p1Packages = p1.getInnerPackages(); |
| final Map<String, String> p2Packages = p2.getInnerPackages(); |
| if (!Collections.disjoint(p1Packages.keySet(), p2Packages.keySet())) { |
| duplicateFound = true; |
| Slog.e(SELinuxMMAC.TAG, "Duplicate policy entry: " + p1.toString()); |
| } |
| } |
| |
| return 0; |
| } |
| } |
