platform_system_sepolicy/runas.te

type runas, domain, mlstrustedsubject;
type runas_exec, file_type;

bool support_runas true;

if (support_runas) {

# ndk-gdb invokes adb shell ps to find the app PID.
r_dir_file(shell, untrusted_app)
dontaudit shell domain:dir r_dir_perms;
dontaudit shell domain:file r_file_perms;

# ndk-gdb invokes adb shell ls to check the app data dir.
allow shell app_data_file:dir search;

# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
allow shell untrusted_app:process sigkill;
dontaudit shell self:capability { sys_ptrace kill };

# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd  use;
allow runas devpts:chr_file { read write ioctl };

# run-as reads package information.
allow runas system_data_file:file r_file_perms;

# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
allow runas app_data_file:dir { getattr search };

# run-as switches to the app UID/GID.
allow runas self:capability { setuid setgid };

# run-as switches to the app security context.
# read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas untrusted_app:process dyntransition; # setcon

# run-as runs lib/gdbserver from the app data dir.
allow untrusted_app system_data_file:file rx_file_perms;

# gdbserver reads the zygote.
allow untrusted_app zygote_exec:file r_file_perms;

# (grand)child death notification.
allow untrusted_app shell:process sigchld;
allow untrusted_app adbd:process sigchld;

# child shell or gdbserver pty access.
allow untrusted_app devpts:chr_file { getattr read write ioctl };

# gdbserver creates a socket in the app data dir.
allow untrusted_app app_data_file:sock_file { create unlink };

# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd untrusted_app:unix_stream_socket connectto;

# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;

}
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00			`type runas, domain, mlstrustedsubject;`
			`type runas_exec, file_type;`

			`bool support_runas true;`

			`if (support_runas) {`

			`# ndk-gdb invokes adb shell ps to find the app PID.`
			`r_dir_file(shell, untrusted_app)`
			`dontaudit shell domain:dir r_dir_perms;`
			`dontaudit shell domain:file r_file_perms;`

			`# ndk-gdb invokes adb shell ls to check the app data dir.`
			`allow shell app_data_file:dir search;`

			`# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.`
			`allow shell untrusted_app:process sigkill;`
			`dontaudit shell self:capability { sys_ptrace kill };`

			`# ndk-gdb invokes adb shell run-as.`
			`domain_auto_trans(shell, runas_exec, runas)`
run-as policy fixes. - Remove dac_read_search as it is no longer required by run-as. - Introduce a separate type for /dev/tty so that we can allow use of own tty for for a run-as shell without allowing access to other /dev/tty[0-9]* nodes. - Allow sigchld notifications for death of run-as and its descendants by adbd. - Drop redundant rules for executing shell or system commands from untrusted_app; now covered by rules in app.te. Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c 2013-04-05 20:22:27 +02:00			`allow runas adbd:process sigchld;`
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00			`allow runas shell:fd use;`
run-as policy fixes. - Remove dac_read_search as it is no longer required by run-as. - Introduce a separate type for /dev/tty so that we can allow use of own tty for for a run-as shell without allowing access to other /dev/tty[0-9]* nodes. - Allow sigchld notifications for death of run-as and its descendants by adbd. - Drop redundant rules for executing shell or system commands from untrusted_app; now covered by rules in app.te. Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c 2013-04-05 20:22:27 +02:00			`allow runas devpts:chr_file { read write ioctl };`
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00
			`# run-as reads package information.`
			`allow runas system_data_file:file r_file_perms;`

			`# run-as checks and changes to the app data dir.`
			`dontaudit runas self:capability dac_override;`
			`allow runas app_data_file:dir { getattr search };`

			`# run-as switches to the app UID/GID.`
			`allow runas self:capability { setuid setgid };`

			`# run-as switches to the app security context.`
Give domains read access to security_file domain. /data/security is another location that policy files can reside. In fact, these policy files take precedence over their rootfs counterparts under certain circumstances. Give the appropriate players the rights to read these policy files. Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41 2013-04-04 22:17:36 +02:00			`# read /seapp_contexts and /data/security/seapp_contexts`
			`security_access_policy(runas)`
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00			`selinux_check_context(runas) # validate context`
			`allow runas untrusted_app:process dyntransition; # setcon`

			`# run-as runs lib/gdbserver from the app data dir.`
			`allow untrusted_app system_data_file:file rx_file_perms;`

			`# gdbserver reads the zygote.`
			`allow untrusted_app zygote_exec:file r_file_perms;`

			`# (grand)child death notification.`
			`allow untrusted_app shell:process sigchld;`
run-as policy fixes. - Remove dac_read_search as it is no longer required by run-as. - Introduce a separate type for /dev/tty so that we can allow use of own tty for for a run-as shell without allowing access to other /dev/tty[0-9]* nodes. - Allow sigchld notifications for death of run-as and its descendants by adbd. - Drop redundant rules for executing shell or system commands from untrusted_app; now covered by rules in app.te. Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c 2013-04-05 20:22:27 +02:00			`allow untrusted_app adbd:process sigchld;`
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00
			`# child shell or gdbserver pty access.`
run-as policy fixes. - Remove dac_read_search as it is no longer required by run-as. - Introduce a separate type for /dev/tty so that we can allow use of own tty for for a run-as shell without allowing access to other /dev/tty[0-9]* nodes. - Allow sigchld notifications for death of run-as and its descendants by adbd. - Drop redundant rules for executing shell or system commands from untrusted_app; now covered by rules in app.te. Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c 2013-04-05 20:22:27 +02:00			`allow untrusted_app devpts:chr_file { getattr read write ioctl };`
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00
			`# gdbserver creates a socket in the app data dir.`
			`allow untrusted_app app_data_file:sock_file { create unlink };`

			`# ndk-gdb invokes adb forward to forward the gdbserver socket.`
			`allow adbd app_data_file:dir search;`
			`allow adbd app_data_file:sock_file write;`
			`allow adbd untrusted_app:unix_stream_socket connectto;`

			`# ndk-gdb invokes adb pull of app_process, linker, and libc.so.`
			`allow adbd zygote_exec:file r_file_perms;`
			`allow adbd system_file:file r_file_perms;`

			`}`