-
Stephen Smalley authored
- Remove dac_read_search as it is no longer required by run-as. - Introduce a separate type for /dev/tty so that we can allow use of own tty for for a run-as shell without allowing access to other /dev/tty[0-9]* nodes. - Allow sigchld notifications for death of run-as and its descendants by adbd. - Drop redundant rules for executing shell or system commands from untrusted_app; now covered by rules in app.te. Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c
74ba8c86
runas.te 2.09 KiB
type runas, domain, mlstrustedsubject;
type runas_exec, file_type;
bool support_runas true;
if (support_runas) {
# ndk-gdb invokes adb shell ps to find the app PID.
r_dir_file(shell, untrusted_app)
dontaudit shell domain:dir r_dir_perms;
dontaudit shell domain:file r_file_perms;
# ndk-gdb invokes adb shell ls to check the app data dir.
allow shell app_data_file:dir search;
# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
allow shell untrusted_app:process sigkill;
dontaudit shell self:capability { sys_ptrace kill };
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas devpts:chr_file { read write ioctl };
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
allow runas rootfs:file r_file_perms; # read /seapp_contexts
selinux_check_context(runas) # validate context
allow runas untrusted_app:process dyntransition; # setcon
# run-as runs lib/gdbserver from the app data dir.
allow untrusted_app system_data_file:file rx_file_perms;
# gdbserver reads the zygote.
allow untrusted_app zygote_exec:file r_file_perms;
# (grand)child death notification.
allow untrusted_app shell:process sigchld;
allow untrusted_app adbd:process sigchld;
# child shell or gdbserver pty access.
allow untrusted_app devpts:chr_file { getattr read write ioctl };
# gdbserver creates a socket in the app data dir.
allow untrusted_app app_data_file:sock_file { create unlink };
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd untrusted_app:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
}