platform_system_sepolicy/public/runas.te

type runas, domain, mlstrustedsubject;
type runas_exec, system_file_type, exec_type, file_type;

allow runas adbd:fd use;
allow runas adbd:process sigchld;
allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;
allow runas shell:fifo_file { read write };
allow runas shell:unix_stream_socket { read write };
allow runas devpts:chr_file { read write ioctl };
allow runas shell_data_file:file { read write };

# run-as reads package information.
allow runas system_data_file:file r_file_perms;
allow runas system_data_file:lnk_file getattr;
allow runas packages_list_file:file r_file_perms;

# The app's data dir may be accessed through a symlink.
allow runas system_data_file:lnk_file read;

# run-as checks and changes to the app data dir.
dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
allow runas app_data_file:dir { getattr search };

# run-as switches to the app UID/GID.
allow runas self:global_capability_class_set { setuid setgid };

# run-as switches to the app security context.
selinux_check_context(runas) # validate context
allow runas self:process setcurrent;
allow runas non_system_app_set:process dyntransition; # setcon

# runas/libselinux needs access to seapp_contexts_file to
# determine which domain to transition to.
allow runas seapp_contexts_file:file r_file_perms;

###
### neverallow rules
###

# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
neverallow runas self:global_capability_class_set ~{ setuid setgid };
neverallow runas self:global_capability2_class_set *;
Move domain_deprecated into private policy This attribute is being actively removed from policy. Since attributes are not being versioned, partners must not be able to access and use this attribute. Move it from private and verify in the logs that rild and tee are not using these permissions. Bug: 38316109 Test: build and boot Marlin Test: Verify that rild and tee are not being granted any of these permissions. Change-Id: I31beeb5bdf3885195310b086c1af3432dc6a349b 2017-05-15 22:19:03 +02:00			`type runas, domain, mlstrustedsubject;`
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5 2018-09-27 19:21:37 +02:00			`type runas_exec, system_file_type, exec_type, file_type;`
Add policy for run-as program. Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2012-11-13 19:00:05 +01:00
Avoid audit when running `adb shell -t run-as xxx`. run-as uses file descriptor created by adbd when running `adb shell -t run-as xxx`. It produces audit warnings like below: [ 2036.555371] c1 509 type=1400 audit(1497910817.864:238): avc: granted { use } for pid=4945 comm="run-as" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:r:adbd:s0 tclass=fd Bug: http://b/62358246 Test: test manually that the warning disappears. Change-Id: I19023ac876e03ce2afe18982fe753b07e4c876bb 2017-06-20 01:02:07 +02:00			`allow runas adbd:fd use;`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00			`allow runas adbd:process sigchld;`
Allow run-as to read/write unix_stream_sockets created by adbd. This is to Allow commands like `adb shell run-as ...`. Bug: http://b/62358246 Test: run commands manually. Change-Id: I7bb6c79a6e27ff1224a80c6ddeffb7f27f492bb2 2017-06-06 03:20:42 +02:00			`allow runas adbd:unix_stream_socket { read write };`
runas: allow pipe communication from the shell run-as won't communicate with shell via pipes. Allow it. nnk@nnk:~$ adb shell "cat /dev/zero \| run-as com.google.foo sh -c 'cat'" /system/bin/sh: cat: <stdout>: Broken pipe <4>[ 1485.483517] type=1400 audit(1402623577.085:25): avc: denied { read } for pid=6026 comm="run-as" path="pipe:[29823]" dev="pipefs" ino=29823 scontext=u:r:runas:s0 tcontext=u:r:shell:s0 tclass=fifo_file read is definitely needed. Not sure about write, but adding it just in case. Change-Id: Ifdf838b0df79a5f1e9559af57c2d1fdb8c41a201 2014-06-13 03:54:10 +02:00			`allow runas shell:fd use;`
			`allow runas shell:fifo_file { read write };`
allow run-as to carry unix_stream_sockets Allow run-as to transmit unix_stream_sockets from the shell user to Android apps. This is needed for Android Studio's profiling tool to allow communcation between apps and debugging tools which run as the shell user. Bug: 35672396 Test: Functionality was tested by shukang Test: policy compiles. Change-Id: I2cc2e4cd5b9071cbc7d6f6b5b0b71595fecb455e 2017-02-28 08:15:51 +01:00			`allow runas shell:unix_stream_socket { read write };`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00			`allow runas devpts:chr_file { read write ioctl };`
allow run-as to access /data/local/tmp Otherwise denials like the following occur: avc: denied { write } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file avc: denied { read } for path="/data/local/tmp/foo" dev="dm-0" ino=325769 scontext=u:r:runas:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file Steps to reproduce: $ run-as com.google.android.talk id > /data/local/tmp/id.out $ run-as com.google.android.talk cat < /data/local/tmp/id.out Change-Id: I68a7b804336a3d5776dcc31622f1279380282030 2014-11-08 01:21:42 +01:00			`allow runas shell_data_file:file { read write };`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00
			`# run-as reads package information.`
			`allow runas system_data_file:file r_file_perms;`
domain_deprecate: remove system_data_file access scontext=installd avc: granted { getattr } for comm="Binder:1153_7" path="/data/user/0" dev="sda13" ino=1097730 scontext=u:r:installd:s0 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file scontext=runas avc: granted { getattr } for comm="run-as" path="/data/user/0" dev="sda35" ino=942082 scontext=u:r:runas:s0 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file scontext=vold avc: granted { getattr } for comm="vold" path="/data/data" dev="sda45" ino=12 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=lnk_file avc: granted { read } for comm="secdiscard" name="3982c444973581d4.spblob" dev="sda45" ino=4620302 scontext=u:r:vold:s0 tcontext=u:object_r:system_data_file:s0 tclass=file Bug: 28760354 Test: Build Change-Id: Id16c43090675572af35f1ad9defd4c368abc906b 2017-07-12 07:00:08 +02:00			`allow runas system_data_file:lnk_file getattr;`
Relabel /data/system/packages.list to new type. Conservatively grant access to packages_list_file to everything that had access to system_data_file:file even if the comment in the SELinux policy suggests it was for another use. Ran a diff on the resulting SEPolicy, the only difference of domains being granted is those that had system_data_file:dir permissiosn which is clearly not applicable for packages.list diff -u0 <(sesearch --allow -t system_data_file ~/sepolicy \| sed 's/system_data_file/packages_list_file/') <(sesearch --allow -t packages_list_file ~/sepolicy_new) --- /proc/self/fd/16 2019-03-19 20:01:44.378409146 +0000 +++ /proc/self/fd/18 2019-03-19 20:01:44.378409146 +0000 @@ -3 +2,0 @@ -allow appdomain packages_list_file:dir getattr; @@ -6 +4,0 @@ -allow coredomain packages_list_file:dir getattr; @@ -8 +5,0 @@ -allow domain packages_list_file:dir search; @@ -35 +31,0 @@ -allow system_server packages_list_file:dir { rename search setattr read lock create reparent getattr write relabelfrom ioctl rmdir remove_name open add_name }; @@ -40 +35,0 @@ -allow tee packages_list_file:dir { search read lock getattr ioctl open }; @@ -43,3 +37,0 @@ -allow traced_probes packages_list_file:dir { read getattr open search }; -allow vendor_init packages_list_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name open add_name }; -allow vold packages_list_file:dir { search setattr read lock create getattr mounton write ioctl rmdir remove_name open add_name }; @@ -48 +39,0 @@ -allow vold_prepare_subdirs packages_list_file:dir { read write relabelfrom rmdir remove_name open add_name }; @@ -50 +40,0 @@ -allow zygote packages_list_file:dir { search read lock getattr ioctl open }; Bug: 123186697 Change-Id: Ieabf313653deb5314872b63cd47dadd535af7b07 2019-03-19 19:14:38 +01:00			`allow runas packages_list_file:file r_file_perms;`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00
Selinux: Give runas permission to read system_data_file links Run-as is running a command under an app's uid and in its data directory. That data directory may be accessed through a symlink from /data/user. So give runas rights to read such a symlink. Bug: 66292688 Test: manual Test: CTS JVMTI tests Change-Id: I0e0a40d11bc00d3ec1eee561b6223732a0d2eeb6 2017-09-21 06:34:55 +02:00			`# The app's data dir may be accessed through a symlink.`
			`allow runas system_data_file:lnk_file read;`

Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00			`# run-as checks and changes to the app data dir.`
sepolicy: grant dac_read_search to domains with dac_override kernel commit 2a4c22426955d4fc04069811997b7390c0fb858e (fs: switch order of CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH checks) swapped the order of dac_override and dac_read_search checks. Domains that have dac_override will now generate spurious denials for dac_read_search unless they also have that permission. Since dac_override is a strict superset of dac_read_search, grant dac_read_search to all domains that already have dac_override to get rid of the denials. Bug: 114280985 Bug: crbug.com/877588 Test: Booted on a device running 4.14. Change-Id: I5c1c136b775cceeb7f170e139e8d4279e73267a4 2018-09-07 00:19:40 +02:00			`dontaudit runas self:global_capability_class_set { dac_override dac_read_search };`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00			`allow runas app_data_file:dir { getattr search };`

			`# run-as switches to the app UID/GID.`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow runas self:global_capability_class_set { setuid setgid };`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00
			`# run-as switches to the app security context.`
			`selinux_check_context(runas) # validate context`
Restrict requesting contexts other than policy-defined defaults. Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-05-23 17:26:19 +02:00			`allow runas self:process setcurrent;`
Support run-as and ndk-gdb functionality. Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-29 19:42:39 +01:00			`allow runas non_system_app_set:process dyntransition; # setcon`
runas: don't allow capabilities other than setuid/setgid Add a compile time assertion that capabilities other than setuid and setgid are never granted to run-as. This is a compile time assertion only. No new capabilities are granted or removed. Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220 2015-03-26 01:42:37 +01:00
runas: Grant access to seapp_contexts_file Runas/libselinux needs access to seapp_contexts_file to determine transitions into app domains. Addresses: avc: denied { read } for pid=7154 comm="run-as" name="plat_seapp_contexts" dev="rootfs" ino=9827 scontext=u:r:runas:s0 tcontext=u:object_r:seapp_contexts_file:s0 tclass=file Bug: 36782586 Test: Marlin policy builds Change-Id: I0f0e937e56721d458e250d48ce62f80e3694900f 2017-03-30 21:58:06 +02:00			`# runas/libselinux needs access to seapp_contexts_file to`
			`# determine which domain to transition to.`
			`allow runas seapp_contexts_file:file r_file_perms;`

runas: don't allow capabilities other than setuid/setgid Add a compile time assertion that capabilities other than setuid and setgid are never granted to run-as. This is a compile time assertion only. No new capabilities are granted or removed. Change-Id: Ie86d651b539cdfb6f3eaafef0d5d3b716610a220 2015-03-26 01:42:37 +01:00			`###`
			`### neverallow rules`
			`###`

			`# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID`
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`neverallow runas self:global_capability_class_set ~{ setuid setgid };`
			`neverallow runas self:global_capability2_class_set *;`