From 770a4f6539d0243be31d1788b98fe65f372c3e5a Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Mon, 7 Jan 2019 16:37:24 -0800
Subject: [PATCH] Add permissions in runas_app domain to debug/profile
 debuggable apps.

runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile
debuggable apps. But it misses permissions to ptrace app processes and
read /proc/<app_pid> directory.

Bug: none
Test: build and boot marlin.
Test: run lldb and simpleperf on apps with target sdk version 24-29.
Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0
---
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/compat/27.0/27.0.ignore.cil |  1 +
 private/compat/28.0/28.0.ignore.cil |  1 +
 private/runas_app.te                | 10 ++++++++--
 private/seapp_contexts              |  3 ++-
 public/runas_app.te                 |  1 +
 public/te_macros                    |  9 +++++----
 7 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100644 public/runas_app.te

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index de0cc7987..91724c079 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -135,6 +135,7 @@
     property_info
     recovery_socket
     role_service
+    runas_app
     runtime_service
     secure_element
     secure_element_device
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 429725c70..ff1c85781 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -122,6 +122,7 @@
     property_info
     recovery_socket
     role_service
+    runas_app
     runtime_service
     secure_element
     secure_element_device
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9133c4491..58e936c31 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -73,6 +73,7 @@
     rs_exec
     rss_hwm_reset
     rss_hwm_reset_exec
+    runas_app
     runtime_service
     sensor_privacy_service
     server_configurable_flags_data_file
diff --git a/private/runas_app.te b/private/runas_app.te
index b976b9187..638702c7e 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -1,4 +1,3 @@
-type runas_app, domain;
 typeattribute runas_app coredomain;
 
 app_domain(runas_app)
@@ -7,5 +6,12 @@ net_domain(runas_app)
 bluetooth_domain(runas_app)
 
 # The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Needed by simpleperf.
+# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
+# which are copied to the apps home directories.
 allow runas_app app_data_file:file execute_no_trans;
+
+# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
+r_dir_file(runas_app, untrusted_app_all)
+
+# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
+allow runas_app untrusted_app_all:process ptrace;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 14a8bff53..9fc6816e8 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -122,4 +122,5 @@ user=_app minTargetSdkVersion=29 domain=untrusted_app type=app_data_file levelFr
 user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
 user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-user=_app fromRunAs=true domain=runas_app levelFrom=all
+user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
+user=_app fromRunAs=true domain=runas_app levelFrom=user
diff --git a/public/runas_app.te b/public/runas_app.te
new file mode 100644
index 000000000..cdaa799c9
--- /dev/null
+++ b/public/runas_app.te
@@ -0,0 +1 @@
+type runas_app, domain;
diff --git a/public/te_macros b/public/te_macros
index c70e7db38..149d5ac22 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -176,15 +176,16 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
-neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+neverallow { $1 -runas_app -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -runas_app -shell -$1 } $1:file no_rw_file_perms;
 # The Android security model guarantees the confidentiality and integrity
 # of application data and execution state. Ptrace bypasses those
 # confidentiality guarantees. Disallow ptrace access from system components
 # to apps. Crash_dump is excluded, as it needs ptrace access to
 # produce stack traces.  llkd is excluded, as it needs to inspect
-# the kernel stack for live lock conditions.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') } $1:process ptrace;
+# the kernel stack for live lock conditions. runas_app is excluded, as it can
+# only access debuggable apps.
+neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app } $1:process ptrace;
 ')
 
 #####################################
-- 
GitLab