runas_app: allow sigkill of untrusted_app

It is safe to grant this permission because: * UID restrictions will prevent killing arbitrary apps. * Runas enforces restrictions preventing transitioning to UIDs of apps that are not debuggable. Addresses: avc: denied { sigkill } for scontext=u:r:runas_app:s0:c87,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c87,c257,c512,c768 tclass=process permissive=0 app=com.example.myapplication Bug: 263379256 Test: Build and deploy any Android app in debug mode adb shell run-as com.example.myapplication kill -SIGKILL <pid> Change-Id: I1e4588a9a1c7ee71e0396fbd1ea5e1b24720bd62
2023-01-20 09:02:19 +01:00 · 2023-01-20 09:02:19 +01:00 · 5a6c0a755d
commit 5a6c0a755d
parent 9bbc1c0e72
1 changed files with 1 additions and 1 deletions
--- a/private/runas_app.te
+++ b/private/runas_app.te
@ -14,7 +14,7 @@ allow runas_app app_data_file:file execute_no_trans;
 r_dir_file(runas_app, untrusted_app_all)

 # Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
 allow runas_app untrusted_app_all:unix_stream_socket connectto;

 # Allow executing system image simpleperf without a domain transition.