Define targetSandboxVersion

The new attribute allows both ephemeral and non-ephemeral apps to opt into a new, tighter security model. Test: Manual; built app w/ targetSandboxVersion and verified the security domain Change-Id: I8fcaf84e25f0519b438ba51302f79790e680e025
author: Todd Kennedy <toddke@google.com> 2017-01-25 13:24:21 -0800
committer: Todd Kennedy <toddke@google.com> 2017-01-30 14:47:30 -0800
commit: 11e45075221680dcc25e3da1d3c32710e5a98603 (patch)
tree: 2d4a651dd127a2e0dcc67c503ebe08c5cb8ca47f
parent: c5d458930ca4f69cf2d976ffd65a8679328de62c (diff)
12 files changed, 52 insertions, 18 deletions
diff --git a/api/current.txt b/api/current.txt
index 1228db83907c..1edf0ef18bd1 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -1268,6 +1268,7 @@ package android {
     field public static final int targetId = 16843740; // 0x10103dc
     field public static final int targetName = 16843853; // 0x101044d
     field public static final int targetPackage = 16842785; // 0x1010021
+    field public static final int targetSandboxVersion = 16844110; // 0x101054e
     field public static final int targetSdkVersion = 16843376; // 0x1010270
     field public static final int taskAffinity = 16842770; // 0x1010012
     field public static final int taskCloseEnterAnimation = 16842942; // 0x10100be
diff --git a/api/system-current.txt b/api/system-current.txt
index 4698a6810012..1a6d0c0b8180 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -1383,6 +1383,7 @@ package android {
     field public static final int targetId = 16843740; // 0x10103dc
     field public static final int targetName = 16843853; // 0x101044d
     field public static final int targetPackage = 16842785; // 0x1010021
+    field public static final int targetSandboxVersion = 16844110; // 0x101054e
     field public static final int targetSdkVersion = 16843376; // 0x1010270
     field public static final int taskAffinity = 16842770; // 0x1010012
     field public static final int taskCloseEnterAnimation = 16842942; // 0x10100be
diff --git a/api/test-current.txt b/api/test-current.txt
index 15844cd01cd7..512de48d8431 100644
--- a/api/test-current.txt
+++ b/api/test-current.txt
@@ -1268,6 +1268,7 @@ package android {
     field public static final int targetId = 16843740; // 0x10103dc
     field public static final int targetName = 16843853; // 0x101044d
     field public static final int targetPackage = 16842785; // 0x1010021
+    field public static final int targetSandboxVersion = 16844110; // 0x101054e
     field public static final int targetSdkVersion = 16843376; // 0x1010270
     field public static final int taskAffinity = 16842770; // 0x1010012
     field public static final int taskCloseEnterAnimation = 16842942; // 0x10100be
diff --git a/core/java/android/content/pm/ApplicationInfo.java b/core/java/android/content/pm/ApplicationInfo.java
index 3d9ba96b6795..ef594447553a 100644
--- a/core/java/android/content/pm/ApplicationInfo.java
+++ b/core/java/android/content/pm/ApplicationInfo.java
@@ -827,6 +827,12 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
     public int networkSecurityConfigRes;
 
     /**
+     * Version of the sandbox the application wants to run in.
+     * @hide
+     */
+    public int targetSandboxVersion;
+
+    /**
      * The category of this app. Categories are used to cluster multiple apps
      * together into meaningful groups, such as when summarizing battery,
      * network, or disk usage. Apps should only define this value when they fit
@@ -1007,7 +1013,8 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
         pw.println(prefix + "enabled=" + enabled
                 + " minSdkVersion=" + minSdkVersion
                 + " targetSdkVersion=" + targetSdkVersion
-                + " versionCode=" + versionCode);
+                + " versionCode=" + versionCode
+                + " targetSandboxVersion=" + targetSandboxVersion);
         if ((flags&DUMP_FLAG_DETAILS) != 0) {
             if (manageSpaceActivityName != null) {
                 pw.println(prefix + "manageSpaceActivityName=" + manageSpaceActivityName);
@@ -1122,6 +1129,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
         fullBackupContent = orig.fullBackupContent;
         networkSecurityConfigRes = orig.networkSecurityConfigRes;
         category = orig.category;
+        targetSandboxVersion = orig.targetSandboxVersion;
     }
 
     public String toString() {
@@ -1182,6 +1190,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
         dest.writeInt(fullBackupContent);
         dest.writeInt(networkSecurityConfigRes);
         dest.writeInt(category);
+        dest.writeInt(targetSandboxVersion);
     }
 
     public static final Parcelable.Creator<ApplicationInfo> CREATOR
@@ -1242,6 +1251,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
         fullBackupContent = source.readInt();
         networkSecurityConfigRes = source.readInt();
         category = source.readInt();
+        targetSandboxVersion = source.readInt();
     }
 
     /**
@@ -1310,6 +1320,7 @@ public class ApplicationInfo extends PackageItemInfo implements Parcelable {
         } else {
             dataDir = credentialProtectedDataDir;
         }
+        // TODO: modify per-user ephemerality
     }
 
     /**
diff --git a/core/java/android/content/pm/PackageParser.java b/core/java/android/content/pm/PackageParser.java
index 8223726322a5..401bf4048ad1 100644
--- a/core/java/android/content/pm/PackageParser.java
+++ b/core/java/android/content/pm/PackageParser.java
@@ -296,6 +296,7 @@ public class PackageParser {
     private static boolean sCompatibilityModeEnabled = true;
     private static final int PARSE_DEFAULT_INSTALL_LOCATION =
             PackageInfo.INSTALL_LOCATION_UNSPECIFIED;
+    private static final int PARSE_DEFAULT_TARGET_SANDBOX = 1;
 
     static class ParsePackageItemArgs {
         final Package owner;
@@ -1996,6 +1997,10 @@ public class PackageParser {
                 PARSE_DEFAULT_INSTALL_LOCATION);
         pkg.applicationInfo.installLocation = pkg.installLocation;
 
+        final int targetSandboxVersion = sa.getInteger(
+                com.android.internal.R.styleable.AndroidManifest_targetSandboxVersion,
+                PARSE_DEFAULT_TARGET_SANDBOX);
+        pkg.applicationInfo.targetSandboxVersion = targetSandboxVersion;
 
         /* Set the global "forward lock" flag */
         if ((flags & PARSE_FORWARD_LOCK) != 0) {
diff --git a/core/java/android/security/net/config/ManifestConfigSource.java b/core/java/android/security/net/config/ManifestConfigSource.java
index 0f2994d37681..8fcd5ab55e6a 100644
--- a/core/java/android/security/net/config/ManifestConfigSource.java
+++ b/core/java/android/security/net/config/ManifestConfigSource.java
@@ -32,7 +32,7 @@ public class ManifestConfigSource implements ConfigSource {
     private final int mApplicationInfoFlags;
     private final int mTargetSdkVersion;
     private final int mConfigResourceId;
-    private final boolean mEphemeralApp;
+    private final int mTargetSandboxVesrsion;
 
     private ConfigSource mConfigSource;
 
@@ -43,7 +43,7 @@ public class ManifestConfigSource implements ConfigSource {
         mApplicationInfoFlags = info.flags;
         mTargetSdkVersion = info.targetSdkVersion;
         mConfigResourceId = info.networkSecurityConfigRes;
-        mEphemeralApp = info.isEphemeralApp();
+        mTargetSandboxVesrsion = info.targetSandboxVersion;
     }
 
     @Override
@@ -71,7 +71,7 @@ public class ManifestConfigSource implements ConfigSource {
                             + " debugBuild: " + debugBuild);
                 }
                 source = new XmlConfigSource(mContext, mConfigResourceId, debugBuild,
-                        mTargetSdkVersion, mEphemeralApp);
+                        mTargetSdkVersion, mTargetSandboxVesrsion);
             } else {
                 if (DBG) {
                     Log.d(LOG_TAG, "No Network Security Config specified, using platform default");
@@ -80,9 +80,9 @@ public class ManifestConfigSource implements ConfigSource {
                 // should use the network security config.
                 boolean usesCleartextTraffic =
                         (mApplicationInfoFlags & ApplicationInfo.FLAG_USES_CLEARTEXT_TRAFFIC) != 0
-                        && !mEphemeralApp;
+                        && mTargetSandboxVesrsion < 2;
                 source = new DefaultConfigSource(usesCleartextTraffic, mTargetSdkVersion,
-                        mEphemeralApp);
+                        mTargetSandboxVesrsion);
             }
             mConfigSource = source;
             return mConfigSource;
@@ -94,9 +94,9 @@ public class ManifestConfigSource implements ConfigSource {
         private final NetworkSecurityConfig mDefaultConfig;
 
         public DefaultConfigSource(boolean usesCleartextTraffic, int targetSdkVersion,
-                boolean ephemeralApp) {
+                int targetSandboxVesrsion) {
             mDefaultConfig = NetworkSecurityConfig.getDefaultBuilder(targetSdkVersion,
-                    ephemeralApp)
+                    targetSandboxVesrsion)
                     .setCleartextTrafficPermitted(usesCleartextTraffic)
                     .build();
         }
diff --git a/core/java/android/security/net/config/NetworkSecurityConfig.java b/core/java/android/security/net/config/NetworkSecurityConfig.java
index 7923702e3656..789fc273b965 100644
--- a/core/java/android/security/net/config/NetworkSecurityConfig.java
+++ b/core/java/android/security/net/config/NetworkSecurityConfig.java
@@ -175,13 +175,14 @@ public final class NetworkSecurityConfig {
      *
      * @hide
      */
-    public static final Builder getDefaultBuilder(int targetSdkVersion, boolean ephemeralApp) {
+    public static final Builder getDefaultBuilder(int targetSdkVersion, int targetSandboxVesrsion) {
         Builder builder = new Builder()
-                .setCleartextTrafficPermitted(!ephemeralApp)
                 .setHstsEnforced(DEFAULT_HSTS_ENFORCED)
                 // System certificate store, does not bypass static pins.
                 .addCertificatesEntryRef(
                         new CertificatesEntryRef(SystemCertificateSource.getInstance(), false));
+        final boolean cleartextTrafficPermitted = targetSandboxVesrsion < 2;
+        builder.setCleartextTrafficPermitted(cleartextTrafficPermitted);
         // Applications targeting N and above must opt in into trusting the user added certificate
         // store.
         if (targetSdkVersion <= Build.VERSION_CODES.M) {
diff --git a/core/java/android/security/net/config/XmlConfigSource.java b/core/java/android/security/net/config/XmlConfigSource.java
index 38fe6b8466f5..a111fbce183c 100644
--- a/core/java/android/security/net/config/XmlConfigSource.java
+++ b/core/java/android/security/net/config/XmlConfigSource.java
@@ -37,7 +37,7 @@ public class XmlConfigSource implements ConfigSource {
     private final int mResourceId;
     private final boolean mDebugBuild;
     private final int mTargetSdkVersion;
-    private final boolean mEphemeralApp;
+    private final int mTargetSandboxVesrsion;
 
     private boolean mInitialized;
     private NetworkSecurityConfig mDefaultConfig;
@@ -57,16 +57,16 @@ public class XmlConfigSource implements ConfigSource {
     @VisibleForTesting
     public XmlConfigSource(Context context, int resourceId, boolean debugBuild,
             int targetSdkVersion) {
-        this(context, resourceId, debugBuild, targetSdkVersion, false);
+        this(context, resourceId, debugBuild, targetSdkVersion, 1 /*targetSandboxVersion*/);
     }
 
     public XmlConfigSource(Context context, int resourceId, boolean debugBuild,
-            int targetSdkVersion, boolean ephemeralApp) {
+            int targetSdkVersion, int targetSandboxVesrsion) {
         mResourceId = resourceId;
         mContext = context;
         mDebugBuild = debugBuild;
         mTargetSdkVersion = targetSdkVersion;
-        mEphemeralApp = ephemeralApp;
+        mTargetSandboxVesrsion = targetSandboxVesrsion;
     }
 
     public Set<Pair<Domain, NetworkSecurityConfig>> getPerDomainConfigs() {
@@ -365,7 +365,7 @@ public class XmlConfigSource implements ConfigSource {
         // Use the platform default as the parent of the base config for any values not provided
         // there. If there is no base config use the platform default.
         NetworkSecurityConfig.Builder platformDefaultBuilder =
-                NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion, mEphemeralApp);
+                NetworkSecurityConfig.getDefaultBuilder(mTargetSdkVersion, mTargetSandboxVesrsion);
         addDebugAnchorsIfNeeded(debugConfigBuilder, platformDefaultBuilder);
         if (baseConfigBuilder != null) {
             baseConfigBuilder.setParent(platformDefaultBuilder);
diff --git a/core/res/res/values/attrs_manifest.xml b/core/res/res/values/attrs_manifest.xml
index 0dde91bb57b0..53d7a823e5e8 100644
--- a/core/res/res/values/attrs_manifest.xml
+++ b/core/res/res/values/attrs_manifest.xml
@@ -1247,6 +1247,12 @@
          split that contains the defined component. -->
     <attr name="splitName" format="string" />
 
+    <!-- Specifies the target sandbox this app wants to use. Higher sanbox versions
+         will have increasing levels of security.
+
+         <p>The default value of this attribute is <code>1</code>. -->
+    <attr name="targetSandboxVersion" format="integer" />
+
     <!-- The <code>manifest</code> tag is the root of an
          <code>AndroidManifest.xml</code> file,
          describing the contents of an Android package (.apk) file.  One
@@ -1274,6 +1280,7 @@
         <attr name="sharedUserLabel" />
         <attr name="installLocation" />
         <attr name="isolatedSplits" />
+        <attr name="targetSandboxVersion" />
     </declare-styleable>
 
     <!-- The <code>application</code> tag describes application-level components
diff --git a/core/res/res/values/public.xml b/core/res/res/values/public.xml
index 1146871e488a..488307888fa1 100644
--- a/core/res/res/values/public.xml
+++ b/core/res/res/values/public.xml
@@ -2790,6 +2790,7 @@
         <public name="splitName" />
         <public name="colorMode" />
         <public name="isolatedSplits" />
+        <public name="targetSandboxVersion" />
     </public-group>
 
     <public-group type="style" first-id="0x010302e0">
diff --git a/services/core/java/com/android/server/pm/SELinuxMMAC.java b/services/core/java/com/android/server/pm/SELinuxMMAC.java
index 922291790271..b9bf1db9edc2 100644
--- a/services/core/java/com/android/server/pm/SELinuxMMAC.java
+++ b/services/core/java/com/android/server/pm/SELinuxMMAC.java
@@ -66,6 +66,9 @@ public final class SELinuxMMAC {
     // Append privapp to existing seinfo label
     private static final String PRIVILEGED_APP_STR = ":privapp";
 
+    // Append v2 to existing seinfo label
+    private static final String SANDBOX_V2_STR = ":v2";
+
     // Append ephemeral to existing seinfo label
     private static final String EPHEMERAL_APP_STR = ":ephemeralapp";
 
@@ -287,6 +290,9 @@ public final class SELinuxMMAC {
         if (pkg.applicationInfo.isEphemeralApp())
             pkg.applicationInfo.seinfo += EPHEMERAL_APP_STR;
 
+        if (pkg.applicationInfo.targetSandboxVersion == 2)
+            pkg.applicationInfo.seinfo += SANDBOX_V2_STR;
+
         if (pkg.applicationInfo.isPrivilegedApp())
             pkg.applicationInfo.seinfo += PRIVILEGED_APP_STR;
 
diff --git a/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java b/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java
index dc3b3379d204..25bfa53b0cf2 100644
--- a/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java
+++ b/tests/NetworkSecurityConfigTest/src/android/security/net/config/NetworkSecurityConfigTests.java
@@ -227,7 +227,7 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> {
     public void testConfigBuilderUsesParents() throws Exception {
         // Check that a builder with a parent uses the parent's values when non is set.
         NetworkSecurityConfig config = new NetworkSecurityConfig.Builder()
-                .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false))
+                .setParent(NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, 1))
                 .build();
         assert(!config.getTrustAnchors().isEmpty());
     }
@@ -268,9 +268,9 @@ public class NetworkSecurityConfigTests extends ActivityUnitTestCase<Activity> {
             // Install the test CA.
             store.installCertificate(TEST_CA_CERT);
             NetworkSecurityConfig preNConfig =
-                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M, false).build();
+                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.M, 1).build();
             NetworkSecurityConfig nConfig =
-                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, false).build();
+                    NetworkSecurityConfig.getDefaultBuilder(Build.VERSION_CODES.N, 1).build();
             Set<TrustAnchor> preNAnchors = preNConfig.getTrustAnchors();
             Set<TrustAnchor> nAnchors = nConfig.getTrustAnchors();
             Set<X509Certificate> preNCerts = new HashSet<X509Certificate>();
author	Todd Kennedy <toddke@google.com>	2017-01-25 13:24:21 -0800
committer	Todd Kennedy <toddke@google.com>	2017-01-30 14:47:30 -0800
commit	11e45075221680dcc25e3da1d3c32710e5a98603 (patch)
tree	2d4a651dd127a2e0dcc67c503ebe08c5cb8ca47f
parent	c5d458930ca4f69cf2d976ffd65a8679328de62c (diff)