platform_system_sepolicy/private/runas_app.te

typeattribute runas_app coredomain;

app_domain(runas_app)
untrusted_app_domain(runas_app)
net_domain(runas_app)
bluetooth_domain(runas_app)

# The ability to call exec() on files in the apps home directories
# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;

# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
r_dir_file(runas_app, untrusted_app_all)

# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;

# Allow executing system image simpleperf without a domain transition.
allow runas_app simpleperf_exec:file rx_file_perms;

# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
# the same domain as their respective process, most of which this domain is not
# allowed to see.
dontaudit runas_app domain:dir search;

# Allow runas_app to call perf_event_open for profiling debuggable app
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
Add runas_app domain to allow running app data file via run-as. Calling execve() on files in an app's home directory isn't allowed for targetApi >=29. But this is needed by simpleperf to profile a debuggable app via run-as. So workaround it by adding runas_app domain, which allows running app data file. And add a rule in seapp_contexts to use runas_app domain for setcontext requests from run-as. Bug: 118737210 Test: boot marlin and run CtsSimpleperfTestCases. Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5 2018-11-02 22:34:06 +01:00			`typeattribute runas_app coredomain;`

			`app_domain(runas_app)`
			`untrusted_app_domain(runas_app)`
			`net_domain(runas_app)`
			`bluetooth_domain(runas_app)`

Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 19:03:50 +01:00			`# The ability to call exec() on files in the apps home directories`
Add permissions in runas_app domain to debug/profile debuggable apps. runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile debuggable apps. But it misses permissions to ptrace app processes and read /proc/<app_pid> directory. Bug: none Test: build and boot marlin. Test: run lldb and simpleperf on apps with target sdk version 24-29. Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0 2019-01-08 01:37:24 +01:00			`# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,`
			`# which are copied to the apps home directories.`
Revert "remove app_data_file execute" This reverts commit b362474374afc402f65695252d30a008326c0eba. Reason for revert: android.jvmti.cts.JvmtiHostTest1906#testJvmti unittest failures. Bug: 121333210 Bug: 112357170 Change-Id: I6e68855abaaaa1e9248265a468712fa8d70ffa74 Test: compiles and boots 2018-12-21 19:03:50 +01:00			`allow runas_app app_data_file:file execute_no_trans;`
Add permissions in runas_app domain to debug/profile debuggable apps. runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile debuggable apps. But it misses permissions to ptrace app processes and read /proc/<app_pid> directory. Bug: none Test: build and boot marlin. Test: run lldb and simpleperf on apps with target sdk version 24-29. Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0 2019-01-08 01:37:24 +01:00
			`# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.`
			`r_dir_file(runas_app, untrusted_app_all)`

			`# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.`
Allow permissions needed for gdb debugging system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b introduced the runas_app SELinux domain, which changed how we perform debugging of Android applications. This broke Android Studio's lldb. From bugreport: Debugging an app containing native code using ndk-gdb or Android Studio's lldb currently fails. There is an selinux error in logcat about a sigchld denial. Studio can still debug Java-only apps. In Android Studio, starting the debugger on an app with native code produces this selinux denial: 01-30 06:58:02.089 13449 13449 W lldb-server: type=1400 audit(0.0:831): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tcontext=u:r:runas_app:s0:c167,c256,c512,c768 tclass=process permissive=0 app=com.android.ndktestapp With "set enforce 0", I also see a sigstop denial: 01-30 07:31:12.209 15672 15672 I lldb-server: type=1400 audit(0.0:1290): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c167,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tclass=process permissive=1 app=com.android.ndktestapp In gdb-server.log, Studio reports this error while trying to start lldb-server: 1548831482.091491938 GDBRemoteCommunicationServerLLGS::Handle_vAttach attempting to attach to pid 13379 1548831482.091519117 GDBRemoteCommunicationServerLLGS::AttachToProcess pid 13379 1548831482.092242956 GDBRemoteCommunicationServerLLGS::Handle_vAttach failed to attach to pid 13379: Permission denied Using ndk-gdb (e.g. on the NdkGdbSample) produces the same sort of selinux denial: 01-30 07:11:26.742 13926 13926 W arm64-gdbserver: type=1400 audit(0.0:833): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tcontext=u:r:runas_app:s0:c166,c256,c512,c768 tclass=process permissive=0 app=com.android.developer.ndkgdbsample If I use "setenforce 0", I see more denials logged (signal and sigstop): 01-30 07:30:23.346 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1287): avc: denied { signal } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample 01-30 07:30:23.349 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1288): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample ndk-gdb times out and prints an error: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ /x/android-ndk-r19/ndk-gdb --launch Redirecting gdbserver output to /tmp/gdbclient.log ... Error: unable to connect to device. Remote communication error. Target disconnected.: Connection reset by peer. gdbclient.log shows that gdbserver hasn't started listening to its Unix socket yet: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log Attached; pid = 14232 Normal output looks like this: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log Attached; pid = 27799 Listening on Unix domain socket '/data/data/com.android.developer.ndkgdbsample/debug_socket' Remote debugging from host 127.0.0.0 Test: compiles and builds Bug: 123612207 Change-Id: Ia9a711cc54cc044c0817a7c17eb4506015adb393 2019-01-30 22:19:36 +01:00			`allow runas_app untrusted_app_all:process { ptrace signal sigstop };`
allow runas_app untrusted_app_all:unix_stream_socket connectto system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b introduced the runas_app SELinux domain, which changed how we perform debugging and profiling of Android applications. This broke Android Studio's profiling tool. Android Studio's profiling tool has the run-as spawned application connect to an app created unix domain sockets in the abstract namespace. Note: this differs from system/sepolicy commit 3e5668f173374a98ff13b94523960c5bf14c8b72, which allows connections in the reverse direction (from app to runas_app). That change (b/123297648) was made for a different part of Android Studio, Android Studio Instant Run. Addresses the following denial: 2019-02-08 00:59:14.563 15560-15560/? W/connector: type=1400 audit(0.0:645): avc: denied { connectto } for path=00436C69656E74 scontext=u:r:runas_app:s0:c188,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c188,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.hellojni (hex decode of 00436C69656E74 is "Client") 2019-01-31 17:25:16.060 19975-19975/? W/transport: type=1400 audit(0.0:8146): avc: denied { connectto } for path=00416E64726F696453747564696F5472616E73706F72744167656E743139383839 scontext=u:r:runas_app:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.android.displayingbitmaps (hex decode of 00416E64726F696453747564696F5472616E73706F72744167656E743139383839 is "AndroidStudioTransportAgent19889") Bug: 120445954 Test: manual Change-Id: I9ca1c338dcbc75cb3fbd7bf93a348f9276363dc1 2019-02-08 20:30:13 +01:00			`allow runas_app untrusted_app_all:unix_stream_socket connectto;`
perf_event: rules for system and simpleperf domain This patch adds the necessary rules to support the existing usage of perf_event_open by the system partition, which almost exclusively concerns the simpleperf profiler. A new domain is introduced for some (but not all) executions of the system image simpleperf. The following configurations are supported: * shell -> shell process (no domain transition) * shell -> debuggable app (through shell -> runas -> runas_app) * shell -> profileable app (through shell -> simpleperf_app_runner -> untrusted_app -> simpleperf) * debuggable/profile app -> self (through untrusted_app -> simpleperf) simpleperf_app_runner still enters the untrusted_app domain immediately before exec to properly inherit the categories related to MLS. My understanding is that a direct transition would require modifying external/selinux and seapp_contexts as with "fromRunAs", which seems unnecessarily complex for this case. runas_app can still run side-loaded binaries and use perf_event_open, but it checks that the target app is exactly "debuggable" (profileability is insufficient). system-wide profiling is effectively constrained to "su" on debug builds. See go/perf-event-open-security for a more detailed explanation of the scenarios covered here. Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug Tested: manual simpleperf invocations on crosshatch-userdebug Bug: 137092007 Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066 2020-01-10 20:02:43 +01:00
			`# Allow executing system image simpleperf without a domain transition.`
			`allow runas_app simpleperf_exec:file rx_file_perms;`

			`# Suppress denial logspam when simpleperf is trying to find a matching process`
			`# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within`
			`# the same domain as their respective process, most of which this domain is not`
			`# allowed to see.`
			`dontaudit runas_app domain:dir search;`

			`# Allow runas_app to call perf_event_open for profiling debuggable app`
			`# processes, but not the whole system.`
			`allow runas_app self:perf_event { open read write kernel };`
			`neverallow runas_app self:perf_event ~{ open read write kernel };`