platform_system_sepolicy/private/runas_app.te

typeattribute runas_app coredomain;

app_domain(runas_app)
untrusted_app_domain(runas_app)
net_domain(runas_app)
bluetooth_domain(runas_app)

# The ability to call exec() on files in the apps home directories
# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;

# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
r_dir_file(runas_app, untrusted_app_all)

# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;

# Allow executing system image simpleperf without a domain transition.
allow runas_app simpleperf_exec:file rx_file_perms;

# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
# the same domain as their respective process, most of which this domain is not
# allowed to see.
dontaudit runas_app domain:dir search;

# Allow runas_app to call perf_event_open for profiling debuggable app
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };

# Suppress bionic loader denial /data/local/tests directories.
dontaudit runas_app shell_test_data_file:dir search;
Add runas_app domain to allow running app data file via run-as. Calling execve() on files in an app's home directory isn't allowed for targetApi >=29. But this is needed by simpleperf to profile a debuggable app via run-as. So workaround it by adding runas_app domain, which allows running app data file. And add a rule in seapp_contexts to use runas_app domain for setcontext requests from run-as. Bug: 118737210 Test: boot marlin and run CtsSimpleperfTestCases. Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5 2018-11-02 22:34:06 +01:00			`typeattribute runas_app coredomain;`

			`app_domain(runas_app)`
			`untrusted_app_domain(runas_app)`
			`net_domain(runas_app)`
			`bluetooth_domain(runas_app)`

Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 19:03:50 +01:00			`# The ability to call exec() on files in the apps home directories`
Add permissions in runas_app domain to debug/profile debuggable apps. runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile debuggable apps. But it misses permissions to ptrace app processes and read /proc/<app_pid> directory. Bug: none Test: build and boot marlin. Test: run lldb and simpleperf on apps with target sdk version 24-29. Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0 2019-01-08 01:37:24 +01:00			`# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,`
			`# which are copied to the apps home directories.`
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 19:03:50 +01:00			`allow runas_app app_data_file:file execute_no_trans;`
Add permissions in runas_app domain to debug/profile debuggable apps. runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile debuggable apps. But it misses permissions to ptrace app processes and read /proc/<app_pid> directory. Bug: none Test: build and boot marlin. Test: run lldb and simpleperf on apps with target sdk version 24-29. Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0 2019-01-08 01:37:24 +01:00
			`# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.`
			`r_dir_file(runas_app, untrusted_app_all)`

			`# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.`
runas_app: allow sigkill of untrusted_app It is safe to grant this permission because: * UID restrictions will prevent killing arbitrary apps. * Runas enforces restrictions preventing transitioning to UIDs of apps that are not debuggable. Addresses: avc: denied { sigkill } for scontext=u:r:runas_app:s0:c87,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c87,c257,c512,c768 tclass=process permissive=0 app=com.example.myapplication Bug: 263379256 Test: Build and deploy any Android app in debug mode adb shell run-as com.example.myapplication kill -SIGKILL <pid> Change-Id: I1e4588a9a1c7ee71e0396fbd1ea5e1b24720bd62 2023-01-20 09:02:19 +01:00			`allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };`
allow runas_app untrusted_app_all:unix_stream_socket connectto system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b introduced the runas_app SELinux domain, which changed how we perform debugging and profiling of Android applications. This broke Android Studio's profiling tool. Android Studio's profiling tool has the run-as spawned application connect to an app created unix domain sockets in the abstract namespace. Note: this differs from system/sepolicy commit 3e5668f173374a98ff13b94523960c5bf14c8b72, which allows connections in the reverse direction (from app to runas_app). That change (b/123297648) was made for a different part of Android Studio, Android Studio Instant Run. Addresses the following denial: 2019-02-08 00:59:14.563 15560-15560/? W/connector: type=1400 audit(0.0:645): avc: denied { connectto } for path=00436C69656E74 scontext=u:r:runas_app:s0:c188,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c188,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.hellojni (hex decode of 00436C69656E74 is "Client") 2019-01-31 17:25:16.060 19975-19975/? W/transport: type=1400 audit(0.0:8146): avc: denied { connectto } for path=00416E64726F696453747564696F5472616E73706F72744167656E743139383839 scontext=u:r:runas_app:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.android.displayingbitmaps (hex decode of 00416E64726F696453747564696F5472616E73706F72744167656E743139383839 is "AndroidStudioTransportAgent19889") Bug: 120445954 Test: manual Change-Id: I9ca1c338dcbc75cb3fbd7bf93a348f9276363dc1 2019-02-08 20:30:13 +01:00			`allow runas_app untrusted_app_all:unix_stream_socket connectto;`
perf_event: rules for system and simpleperf domain This patch adds the necessary rules to support the existing usage of perf_event_open by the system partition, which almost exclusively concerns the simpleperf profiler. A new domain is introduced for some (but not all) executions of the system image simpleperf. The following configurations are supported: * shell -> shell process (no domain transition) * shell -> debuggable app (through shell -> runas -> runas_app) * shell -> profileable app (through shell -> simpleperf_app_runner -> untrusted_app -> simpleperf) * debuggable/profile app -> self (through untrusted_app -> simpleperf) simpleperf_app_runner still enters the untrusted_app domain immediately before exec to properly inherit the categories related to MLS. My understanding is that a direct transition would require modifying external/selinux and seapp_contexts as with "fromRunAs", which seems unnecessarily complex for this case. runas_app can still run side-loaded binaries and use perf_event_open, but it checks that the target app is exactly "debuggable" (profileability is insufficient). system-wide profiling is effectively constrained to "su" on debug builds. See go/perf-event-open-security for a more detailed explanation of the scenarios covered here. Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug Tested: manual simpleperf invocations on crosshatch-userdebug Bug: 137092007 Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066 2020-01-10 20:02:43 +01:00
			`# Allow executing system image simpleperf without a domain transition.`
			`allow runas_app simpleperf_exec:file rx_file_perms;`

			`# Suppress denial logspam when simpleperf is trying to find a matching process`
			`# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within`
			`# the same domain as their respective process, most of which this domain is not`
			`# allowed to see.`
			`dontaudit runas_app domain:dir search;`

			`# Allow runas_app to call perf_event_open for profiling debuggable app`
			`# processes, but not the whole system.`
			`allow runas_app self:perf_event { open read write kernel };`
			`neverallow runas_app self:perf_event ~{ open read write kernel };`
Don't audit shell_test_data_file for runas_app Test: NA Bug: 291838956 Change-Id: Iab61ade7fc105004c59da7b827f0aa5151b5f3ab 2023-07-31 22:45:33 +02:00
			`# Suppress bionic loader denial /data/local/tests directories.`
			`dontaudit runas_app shell_test_data_file:dir search;`