xref: /aosp_15_r20/external/selinux/libselinux/src/android/android_internal.h (revision 2d543d20722ada2425b5bdab9d0d1d29470e7bba) 
1 #pragma once
2 
3 #include <stdbool.h>
4 #include <sys/types.h>
5 
6 #include <selinux/context.h>
7 #include <selinux/selinux.h>
8 
9 #ifdef __cplusplus
10 extern "C" {
11 #endif
12 
13 // Context files (file_contexts, service_contexts, etc) may be spread over
14 // multiple partitions: system, system_ext, product, vendor and/or odm.
15 #define MAX_CONTEXT_PATHS 5
16 // The maximum number of alternatives for a file on one partition.
17 #define MAX_ALT_CONTEXT_PATHS 2
18 typedef struct path_alts {
19 	const char *paths[MAX_CONTEXT_PATHS][MAX_ALT_CONTEXT_PATHS];
20 	const char *partitions[MAX_CONTEXT_PATHS];
21 } path_alts_t;
22 
23 /* Within each set of files, adds the first file that is accessible to `paths`.
24  * Returns the number of accessible files. */
25 size_t find_existing_files(
26 	const path_alts_t *path_sets,
27 	const char *paths[MAX_CONTEXT_PATHS]);
28 
29 /* Within each set of files, adds the first file that is accessible to `paths`.
30  * Returns the number of accessible files. Also returns the partitions where
31  * the files exist. */
32 size_t find_existing_files_with_partitions(
33 	const path_alts_t *path_sets,
34 	const char *paths[MAX_CONTEXT_PATHS],
35 	const char *partitions[MAX_CONTEXT_PATHS]);
36 
37 /* Converts an array of file paths into an array of options for selabel_open.
38  * opts must be at least as large as paths. */
39 void paths_to_opts(
40 	const char* paths[MAX_CONTEXT_PATHS],
41 	size_t npaths,
42 	struct selinux_opt* const opts);
43 
44 /* Initialize a backend using the specified options. Ensure that any error is
45  * reported to the android logging facility */
46 struct selabel_handle* initialize_backend(
47 	unsigned int backend,
48 	const char* name,
49 	const struct selinux_opt* opts,
50 	size_t nopts);
51 
52 /* Initialize a backend using a set of context paths */
53 struct selabel_handle* context_handle(
54 		unsigned int backend,
55 		const path_alts_t *context_paths,
56 		const char* name);
57 
58 /*
59  * This method helps in identifying paths that refer to users' app data.
60  * Labeling for app data is based on seapp_contexts and seinfo assignments
61  * rather than file_contexts and is managed by installd rather than by init.
62  */
63 bool is_app_data_path(const char *pathname);
64 
65 /*
66  * Determines if a path is Credential Encrypted (CE).
67  * Some paths are not available when the device first boots (these are protected
68  * by a credential). They should not be processed by restorecon until decrypted.
69  * See also the --skip-ce option for restorecon.
70  */
71 bool is_credential_encrypted_path(const char *pathname);
72 
73 /* Extract the pkgname and userid from a path.
74  * On success, the caller is responsible for free'ing pkgname.
75  * Returns 0 on success, -1 on invalid path, -2 on error.
76  */
77 int extract_pkgname_and_userid(const char *pathname, char **pkgname, unsigned int *userid);
78 
79 /* The kind of request when looking up an seapp_context. */
80 enum seapp_kind {
81 	/* Returns the SELinux type for the app data directory */
82 	SEAPP_TYPE,
83 	/* Returns the SELinux type for the app process */
84 	SEAPP_DOMAIN
85 };
86 
87 /* Search an app (or its data) based on its name and information within the list
88  * of known seapp_contexts. If found, sets the type and categories of ctx and
89  * returns 0. Returns -1 in case of error; -2 for out of memory */
90 int seapp_context_lookup(enum seapp_kind kind,
91 				uid_t uid,
92 				bool isSystemServer,
93 				const char *seinfo,
94 				const char *pkgname,
95 				context_t ctx);
96 
97 /* Similar to seapp_context_lookup, but does not implicitly load and use the
98  * default context files. It should only be used for unit tests. */
99 int seapp_context_lookup_internal(enum seapp_kind kind,
100 				uid_t uid,
101 				bool isSystemServer,
102 				const char *seinfo,
103 				const char *pkgname,
104 				context_t ctx);
105 
106 /* Which categories should be associated to the process */
107 enum levelFrom {
108 	/* None */
109 	LEVELFROM_NONE,
110 	/* The categories of the application */
111 	LEVELFROM_APP,
112 	/* The categories of the end-user */
113 	LEVELFROM_USER,
114 	/* Application and end-user */
115 	LEVELFROM_ALL
116 };
117 
118 /* Sets the categories of ctx based on the level request */
119 int set_range_from_level(context_t ctx, enum levelFrom levelFrom, uid_t userid, uid_t appid);
120 
121 /* Similar to seapp_context_reload, but does not implicitly load the default
122  * context files. It should only be used for unit tests. */
123 int seapp_context_reload_internal(const path_alts_t *context_paths);
124 
125 #define SEINFO_BUFSIZ 256
126 /* A parsed seinfo */
127 struct parsed_seinfo {
128 	char base[SEINFO_BUFSIZ];
129 #define IS_PRIV_APP             (1 << 0)
130 #define IS_FROM_RUN_AS          (1 << 1)
131 #define IS_EPHEMERAL_APP        (1 << 2)
132 #define IS_ISOLATED_COMPUTE_APP (1 << 3)
133 #define IS_SDK_SANDBOX_AUDIT    (1 << 4)
134 #define IS_SDK_SANDBOX_NEXT     (1 << 5)
135 	int32_t is;
136 	bool isPreinstalledApp;
137 	char partition[SEINFO_BUFSIZ];
138 	int32_t targetSdkVersion;
139 };
140 
141 /* Parses an seinfo string. Returns -1 if an error occurred. */
142 int parse_seinfo(const char* seinfo, struct parsed_seinfo* info);
143 #ifdef __cplusplus
144 }
145 #endif
146