From b18fea1abb8cf4fe99b0045c05b651dfb9df47ce Mon Sep 17 00:00:00 2001 From: Samiul Islam Date: Sat, 15 Jan 2022 18:59:14 +0000 Subject: [PATCH 1/2] Create utility method for calculating supplemental_uid from app_uid Every app will now have a corresponding supplemental process associated with it. We need an utility method to map one to the other. Implementation details: supplemental process uid will be between range 20k-30k. As such, it will be a 10k offset from app id. See ag/16621743. Bug: 211763739 Test: atest installd_service_test Ignore-AOSP-First: Feature is being developed in internal branch Change-Id: I2b6d6b086985bcb24c837eaa95a937d429d6a583 Merged-In: I2b6d6b086985bcb24c837eaa95a937d429d6a583 (cherry picked from commit 1c7acfdb671c7edc4432bc8542df54c49736963d) --- libcutils/include/cutils/multiuser.h | 1 + .../include/private/android_filesystem_config.h | 4 ++++ libcutils/multiuser.cpp | 9 +++++++++ libcutils/multiuser_test.cpp | 17 +++++++++++++++++ 4 files changed, 31 insertions(+) diff --git a/libcutils/include/cutils/multiuser.h b/libcutils/include/cutils/multiuser.h index 9a2305c98..4911c488f 100644 --- a/libcutils/include/cutils/multiuser.h +++ b/libcutils/include/cutils/multiuser.h @@ -30,6 +30,7 @@ extern userid_t multiuser_get_user_id(uid_t uid); extern appid_t multiuser_get_app_id(uid_t uid); extern uid_t multiuser_get_uid(userid_t user_id, appid_t app_id); +extern uid_t multiuser_get_supplemental_uid(userid_t user_id, appid_t app_id); extern gid_t multiuser_get_cache_gid(userid_t user_id, appid_t app_id); extern gid_t multiuser_get_ext_gid(userid_t user_id, appid_t app_id); diff --git a/libcutils/include/private/android_filesystem_config.h b/libcutils/include/private/android_filesystem_config.h index 8e6b81c2b..155d3f581 100644 --- a/libcutils/include/private/android_filesystem_config.h +++ b/libcutils/include/private/android_filesystem_config.h @@ -210,6 +210,10 @@ */ #define AID_OVERFLOWUID 65534 /* unmapped user in the user namespace */ +/* use the ranges below to determine whether a process is supplemental */ +#define AID_SUPPLEMENTAL_PROCESS_START 20000 /* start of uids allocated to supplemental process */ +#define AID_SUPPLEMENTAL_PROCESS_END 29999 /* end of uids allocated to supplemental process */ + /* use the ranges below to determine whether a process is isolated */ #define AID_ISOLATED_START 90000 /* start of uids for fully isolated sandboxed processes */ #define AID_ISOLATED_END 99999 /* end of uids for fully isolated sandboxed processes */ diff --git a/libcutils/multiuser.cpp b/libcutils/multiuser.cpp index 0fd3d0c52..76ae4ce7e 100644 --- a/libcutils/multiuser.cpp +++ b/libcutils/multiuser.cpp @@ -29,6 +29,15 @@ uid_t multiuser_get_uid(userid_t user_id, appid_t app_id) { return (user_id * AID_USER_OFFSET) + (app_id % AID_USER_OFFSET); } +uid_t multiuser_get_supplemental_uid(userid_t user_id, appid_t app_id) { + int supplementalProcessOffset = AID_SUPPLEMENTAL_PROCESS_START - AID_APP_START; + if (app_id >= AID_APP_START && app_id <= AID_APP_END) { + return (user_id * AID_USER_OFFSET) + (app_id % AID_USER_OFFSET) + supplementalProcessOffset; + } else { + return -1; + } +} + gid_t multiuser_get_cache_gid(userid_t user_id, appid_t app_id) { if (app_id >= AID_APP_START && app_id <= AID_APP_END) { return multiuser_get_uid(user_id, (app_id - AID_APP_START) + AID_CACHE_GID_START); diff --git a/libcutils/multiuser_test.cpp b/libcutils/multiuser_test.cpp index 4b0fd130f..68270de1c 100644 --- a/libcutils/multiuser_test.cpp +++ b/libcutils/multiuser_test.cpp @@ -18,6 +18,7 @@ #include static constexpr auto ERR_GID = static_cast(-1); +static constexpr auto ERR_UID = static_cast(-1); TEST(MultiuserTest, TestMerge) { EXPECT_EQ(0U, multiuser_get_uid(0, 0)); @@ -30,6 +31,22 @@ TEST(MultiuserTest, TestMerge) { EXPECT_EQ(1050000U, multiuser_get_uid(10, 50000)); } +TEST(MultiuserTest, TestSupplementalUid) { + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(0, 0)); + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(0, 1000)); + EXPECT_EQ(20000U, multiuser_get_supplemental_uid(0, 10000)); + EXPECT_EQ(25000U, multiuser_get_supplemental_uid(0, 15000)); + EXPECT_EQ(29999U, multiuser_get_supplemental_uid(0, 19999)); + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(0, 50000)); + + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 0)); + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 1000)); + EXPECT_EQ(1020000U, multiuser_get_supplemental_uid(10, 10000)); + EXPECT_EQ(1025000U, multiuser_get_supplemental_uid(10, 15000)); + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 20000)); + EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 50000)); +} + TEST(MultiuserTest, TestSplitUser) { EXPECT_EQ(0U, multiuser_get_user_id(0)); EXPECT_EQ(0U, multiuser_get_user_id(1000)); From 45f8837c90a0c63befb848f0427dccade5e41666 Mon Sep 17 00:00:00 2001 From: Nikita Ioffe Date: Mon, 21 Feb 2022 18:50:23 +0000 Subject: [PATCH 2/2] Rename SupplementalProcess to SdkSandbox Ignore-AOSP-First: code is not in AOSP yet Bug: 220320098 Test: presubmit Change-Id: I310feb08a903c2ee9cd544e3b9751c2e02ce5951 Merged-In: I310feb08a903c2ee9cd544e3b9751c2e02ce5951 (cherry picked from commit 6e124aac7c0e76a83040bcda8f1a63df20e3d421) --- libcutils/include/cutils/multiuser.h | 2 +- .../private/android_filesystem_config.h | 6 ++--- libcutils/multiuser.cpp | 6 ++--- libcutils/multiuser_test.cpp | 26 +++++++++---------- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/libcutils/include/cutils/multiuser.h b/libcutils/include/cutils/multiuser.h index 4911c488f..229ee3a9a 100644 --- a/libcutils/include/cutils/multiuser.h +++ b/libcutils/include/cutils/multiuser.h @@ -30,7 +30,7 @@ extern userid_t multiuser_get_user_id(uid_t uid); extern appid_t multiuser_get_app_id(uid_t uid); extern uid_t multiuser_get_uid(userid_t user_id, appid_t app_id); -extern uid_t multiuser_get_supplemental_uid(userid_t user_id, appid_t app_id); +extern uid_t multiuser_get_sdk_sandbox_uid(userid_t user_id, appid_t app_id); extern gid_t multiuser_get_cache_gid(userid_t user_id, appid_t app_id); extern gid_t multiuser_get_ext_gid(userid_t user_id, appid_t app_id); diff --git a/libcutils/include/private/android_filesystem_config.h b/libcutils/include/private/android_filesystem_config.h index 155d3f581..ec3f1c756 100644 --- a/libcutils/include/private/android_filesystem_config.h +++ b/libcutils/include/private/android_filesystem_config.h @@ -210,9 +210,9 @@ */ #define AID_OVERFLOWUID 65534 /* unmapped user in the user namespace */ -/* use the ranges below to determine whether a process is supplemental */ -#define AID_SUPPLEMENTAL_PROCESS_START 20000 /* start of uids allocated to supplemental process */ -#define AID_SUPPLEMENTAL_PROCESS_END 29999 /* end of uids allocated to supplemental process */ +/* use the ranges below to determine whether a process is sdk sandbox */ +#define AID_SDK_SANDBOX_PROCESS_START 20000 /* start of uids allocated to sdk sandbox processes */ +#define AID_SDK_SANDBOX_PROCESS_END 29999 /* end of uids allocated to sdk sandbox processes */ /* use the ranges below to determine whether a process is isolated */ #define AID_ISOLATED_START 90000 /* start of uids for fully isolated sandboxed processes */ diff --git a/libcutils/multiuser.cpp b/libcutils/multiuser.cpp index 76ae4ce7e..979cbf43b 100644 --- a/libcutils/multiuser.cpp +++ b/libcutils/multiuser.cpp @@ -29,10 +29,10 @@ uid_t multiuser_get_uid(userid_t user_id, appid_t app_id) { return (user_id * AID_USER_OFFSET) + (app_id % AID_USER_OFFSET); } -uid_t multiuser_get_supplemental_uid(userid_t user_id, appid_t app_id) { - int supplementalProcessOffset = AID_SUPPLEMENTAL_PROCESS_START - AID_APP_START; +uid_t multiuser_get_sdk_sandbox_uid(userid_t user_id, appid_t app_id) { + int sdk_sandbox_offset = AID_SDK_SANDBOX_PROCESS_START - AID_APP_START; if (app_id >= AID_APP_START && app_id <= AID_APP_END) { - return (user_id * AID_USER_OFFSET) + (app_id % AID_USER_OFFSET) + supplementalProcessOffset; + return (user_id * AID_USER_OFFSET) + (app_id % AID_USER_OFFSET) + sdk_sandbox_offset; } else { return -1; } diff --git a/libcutils/multiuser_test.cpp b/libcutils/multiuser_test.cpp index 68270de1c..62dd5e02c 100644 --- a/libcutils/multiuser_test.cpp +++ b/libcutils/multiuser_test.cpp @@ -31,20 +31,20 @@ TEST(MultiuserTest, TestMerge) { EXPECT_EQ(1050000U, multiuser_get_uid(10, 50000)); } -TEST(MultiuserTest, TestSupplementalUid) { - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(0, 0)); - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(0, 1000)); - EXPECT_EQ(20000U, multiuser_get_supplemental_uid(0, 10000)); - EXPECT_EQ(25000U, multiuser_get_supplemental_uid(0, 15000)); - EXPECT_EQ(29999U, multiuser_get_supplemental_uid(0, 19999)); - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(0, 50000)); +TEST(MultiuserTest, TestSdkSandboxUid) { + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(0, 0)); + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(0, 1000)); + EXPECT_EQ(20000U, multiuser_get_sdk_sandbox_uid(0, 10000)); + EXPECT_EQ(25000U, multiuser_get_sdk_sandbox_uid(0, 15000)); + EXPECT_EQ(29999U, multiuser_get_sdk_sandbox_uid(0, 19999)); + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(0, 50000)); - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 0)); - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 1000)); - EXPECT_EQ(1020000U, multiuser_get_supplemental_uid(10, 10000)); - EXPECT_EQ(1025000U, multiuser_get_supplemental_uid(10, 15000)); - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 20000)); - EXPECT_EQ(ERR_UID, multiuser_get_supplemental_uid(10, 50000)); + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(10, 0)); + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(10, 1000)); + EXPECT_EQ(1020000U, multiuser_get_sdk_sandbox_uid(10, 10000)); + EXPECT_EQ(1025000U, multiuser_get_sdk_sandbox_uid(10, 15000)); + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(10, 20000)); + EXPECT_EQ(ERR_UID, multiuser_get_sdk_sandbox_uid(10, 50000)); } TEST(MultiuserTest, TestSplitUser) {