From 337f56467b9a29d69a3bd54b7e0193a61a7ac1e6 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 30 Jan 2019 13:19:36 -0800 Subject: [PATCH] Allow permissions needed for gdb debugging system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b introduced the runas_app SELinux domain, which changed how we perform debugging of Android applications. This broke Android Studio's lldb. From bugreport: Debugging an app containing native code using ndk-gdb or Android Studio's lldb currently fails. There is an selinux error in logcat about a sigchld denial. Studio can still debug Java-only apps. In Android Studio, starting the debugger on an app with native code produces this selinux denial: 01-30 06:58:02.089 13449 13449 W lldb-server: type=1400 audit(0.0:831): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tcontext=u:r:runas_app:s0:c167,c256,c512,c768 tclass=process permissive=0 app=com.android.ndktestapp With "set enforce 0", I also see a sigstop denial: 01-30 07:31:12.209 15672 15672 I lldb-server: type=1400 audit(0.0:1290): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c167,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tclass=process permissive=1 app=com.android.ndktestapp In gdb-server.log, Studio reports this error while trying to start lldb-server: 1548831482.091491938 GDBRemoteCommunicationServerLLGS::Handle_vAttach attempting to attach to pid 13379 1548831482.091519117 GDBRemoteCommunicationServerLLGS::AttachToProcess pid 13379 1548831482.092242956 GDBRemoteCommunicationServerLLGS::Handle_vAttach failed to attach to pid 13379: Permission denied Using ndk-gdb (e.g. on the NdkGdbSample) produces the same sort of selinux denial: 01-30 07:11:26.742 13926 13926 W arm64-gdbserver: type=1400 audit(0.0:833): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tcontext=u:r:runas_app:s0:c166,c256,c512,c768 tclass=process permissive=0 app=com.android.developer.ndkgdbsample If I use "setenforce 0", I see more denials logged (signal and sigstop): 01-30 07:30:23.346 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1287): avc: denied { signal } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample 01-30 07:30:23.349 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1288): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample ndk-gdb times out and prints an error: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ /x/android-ndk-r19/ndk-gdb --launch Redirecting gdbserver output to /tmp/gdbclient.log ... Error: unable to connect to device. Remote communication error. Target disconnected.: Connection reset by peer. gdbclient.log shows that gdbserver hasn't started listening to its Unix socket yet: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log Attached; pid = 14232 Normal output looks like this: rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log Attached; pid = 27799 Listening on Unix domain socket '/data/data/com.android.developer.ndkgdbsample/debug_socket' Remote debugging from host 127.0.0.0 Test: compiles and builds Bug: 123612207 Change-Id: Ia9a711cc54cc044c0817a7c17eb4506015adb393 --- private/runas_app.te | 2 +- private/untrusted_app_all.te | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/private/runas_app.te b/private/runas_app.te index 638702c7e..525aea1dd 100644 --- a/private/runas_app.te +++ b/private/runas_app.te @@ -14,4 +14,4 @@ allow runas_app app_data_file:file execute_no_trans; r_dir_file(runas_app, untrusted_app_all) # Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes. -allow runas_app untrusted_app_all:process ptrace; +allow runas_app untrusted_app_all:process { ptrace signal sigstop }; diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index 712a3607a..2c44627c4 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -112,6 +112,10 @@ allow untrusted_app_all self:process ptrace; # b/123297648 allow untrusted_app_all runas_app:unix_stream_socket connectto; +# Untrusted apps need to be able to send a SIGCHLD to runas_app +# when running under a debugger (b/123612207) +allow untrusted_app_all runas_app:process sigchld; + # Cts: HwRngTest allow untrusted_app_all sysfs_hwrandom:dir search; allow untrusted_app_all sysfs_hwrandom:file r_file_perms;