Merge "Allow app zygote preload to retain files across fork" into sc-dev

author: TreeHugger Robot <treehugger-gerrit@google.com> 2021-06-24 13:18:02 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2021-06-24 13:18:02 +0000
commit: 2eca07915f4e219a896c4cc7d16d5384ad91084b (patch)
tree: 95d09be3d4da87765bb964ba831dc84a51845deb /core/java
parent: d8244c55fd3f62c4226b0d57e378514b0d2ee0a9 (diff)
parent: ff6ac69e69423107a626a00c3e01e9bf5eb2814c (diff)
2 files changed, 32 insertions, 0 deletions
diff --git a/core/java/com/android/internal/os/AppZygoteInit.java b/core/java/com/android/internal/os/AppZygoteInit.java
index 0e83e41a7423..f925afc2a921 100644
--- a/core/java/com/android/internal/os/AppZygoteInit.java
+++ b/core/java/com/android/internal/os/AppZygoteInit.java
@@ -91,7 +91,9 @@ class AppZygoteInit {
                     } else {
                         Constructor<?> ctor = cl.getConstructor();
                         ZygotePreload preloadObject = (ZygotePreload) ctor.newInstance();
+                        Zygote.markOpenedFilesBeforePreload();
                         preloadObject.doPreload(appInfo);
+                        Zygote.allowFilesOpenedByPreload();
                     }
                 } catch (ReflectiveOperationException e) {
                     Log.e(TAG, "AppZygote application preload failed for "
diff --git a/core/java/com/android/internal/os/Zygote.java b/core/java/com/android/internal/os/Zygote.java
index 0c9dded42bda..e4e28a926ed6 100644
--- a/core/java/com/android/internal/os/Zygote.java
+++ b/core/java/com/android/internal/os/Zygote.java
@@ -500,6 +500,36 @@ public final class Zygote {
     }
 
     /**
+     * Scans file descriptors in /proc/self/fd/, stores their metadata from readlink(2)/stat(2) when
+     * available. Saves this information in a global on native side, to be used by subsequent call
+     * to allowFilesOpenedByPreload(). Fatally fails if the FDs are of unsupported type and are not
+     * explicitly allowed. Ignores repeated invocations.
+     *
+     * Inspecting the FDs is more permissive than in forkAndSpecialize() because preload is invoked
+     * earlier and hence needs to allow a few open sockets. The checks in forkAndSpecialize()
+     * enforce that these sockets are closed when forking.
+     */
+    static void markOpenedFilesBeforePreload() {
+        nativeMarkOpenedFilesBeforePreload();
+    }
+
+    private static native void nativeMarkOpenedFilesBeforePreload();
+
+    /**
+     * By scanning /proc/self/fd/ determines file descriptor numbers in this process opened since
+     * the first call to markOpenedFilesBeforePreload(). These FDs are treated as 'owned' by the
+     * custom preload of the App Zygote - the app is responsible for not sharing data with its other
+     * processes using these FDs, including by lseek(2). File descriptor types and file names are
+     * not checked. Changes in FDs recorded by markOpenedFilesBeforePreload() are not expected and
+     * kill the current process.
+     */
+    static void allowFilesOpenedByPreload() {
+        nativeAllowFilesOpenedByPreload();
+    }
+
+    private static native void nativeAllowFilesOpenedByPreload();
+
+    /**
      * Installs a seccomp filter that limits setresuid()/setresgid() to the passed-in range
      * @param uidGidMin The smallest allowed uid/gid
      * @param uidGidMax The largest allowed uid/gid
author	TreeHugger Robot <treehugger-gerrit@google.com>	2021-06-24 13:18:02 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2021-06-24 13:18:02 +0000
commit	2eca07915f4e219a896c4cc7d16d5384ad91084b (patch)
tree	95d09be3d4da87765bb964ba831dc84a51845deb /core/java
parent	d8244c55fd3f62c4226b0d57e378514b0d2ee0a9 (diff)
parent	ff6ac69e69423107a626a00c3e01e9bf5eb2814c (diff)