Allocate isolated UID ranges for app zygote and its children.

Introduce a new range of app-zygote isolated UIDs, [90000..98999].
For each app that uses an application Zygote, allocate a range of
100 isolated UIDs. The application Zygote for an app will get a
UID out of that range, and all other children that are forked
from that zygote will get a UID from the same range.

Bug:  111434506
Test: app Zygote and its children run in the new range of
      isolated UIDs (with SELinux disabled). New set of
      tests for UID allocators pass.

Change-Id: I7a6883a5ddb95683932c93ea77f4e52d8f37fa4f

1 files changed, 20 insertions, 1 deletions

diff --git a/core/java/android/os/Process.java b/core/java/android/os/Process.java
index 938b23ca733f..ee56e3d0ad16 100644
--- a/core/java/android/os/Process.java
+++ b/core/java/android/os/Process.java
@@ -205,6 +205,24 @@ public class Process {
     public static final int LAST_APPLICATION_UID = 19999;
 
     /**
+     * First uid used for fully isolated sandboxed processes spawned from an app zygote
+     * @hide
+     */
+    public static final int FIRST_APP_ZYGOTE_ISOLATED_UID = 90000;
+
+    /**
+     * Number of UIDs we allocate per application zygote
+     * @hide
+     */
+    public static final int NUM_UIDS_PER_APP_ZYGOTE = 100;
+
+    /**
+     * Last uid used for fully isolated sandboxed processes spawned from an app zygote
+     * @hide
+     */
+    public static final int LAST_APP_ZYGOTE_ISOLATED_UID = 98999;
+
+    /**
      * First uid used for fully isolated sandboxed processes (with no permissions of their own)
      * @hide
      */
@@ -650,7 +668,8 @@ public class Process {
     /** {@hide} */
     public static final boolean isIsolated(int uid) {
         uid = UserHandle.getAppId(uid);
-        return uid >= FIRST_ISOLATED_UID && uid <= LAST_ISOLATED_UID;
+        return (uid >= FIRST_ISOLATED_UID && uid <= LAST_ISOLATED_UID)
+                || (uid >= FIRST_APP_ZYGOTE_ISOLATED_UID && uid <= LAST_APP_ZYGOTE_ISOLATED_UID);
     }
 
     /**