It is safe to grant this permission because:
* UID restrictions will prevent killing arbitrary apps.
* Runas enforces restrictions preventing transitioning to UIDs of apps
that are not debuggable.
Addresses:
avc: denied { sigkill } for scontext=u:r:runas_app:s0:c87,c257,c512,c768
tcontext=u:r:untrusted_app:s0:c87,c257,c512,c768 tclass=process
permissive=0 app=com.example.myapplication
Bug: 263379256
Test: Build and deploy any Android app in debug mode
adb shell
run-as com.example.myapplication
kill -SIGKILL <pid>
Change-Id: I1e4588a9a1c7ee71e0396fbd1ea5e1b24720bd62
This patch adds the necessary rules to support the existing usage of
perf_event_open by the system partition, which almost exclusively
concerns the simpleperf profiler. A new domain is introduced for some
(but not all) executions of the system image simpleperf. The following
configurations are supported:
* shell -> shell process (no domain transition)
* shell -> debuggable app (through shell -> runas -> runas_app)
* shell -> profileable app (through shell -> simpleperf_app_runner ->
untrusted_app -> simpleperf)
* debuggable/profile app -> self (through untrusted_app -> simpleperf)
simpleperf_app_runner still enters the untrusted_app domain immediately
before exec to properly inherit the categories related to MLS. My
understanding is that a direct transition would require modifying
external/selinux and seapp_contexts as with "fromRunAs", which seems
unnecessarily complex for this case.
runas_app can still run side-loaded binaries and use perf_event_open,
but it checks that the target app is exactly "debuggable"
(profileability is insufficient).
system-wide profiling is effectively constrained to "su" on debug
builds.
See go/perf-event-open-security for a more detailed explanation of the
scenarios covered here.
Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug
Tested: manual simpleperf invocations on crosshatch-userdebug
Bug: 137092007
Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
system/sepolicy commit ffa2b61330
introduced the runas_app SELinux domain, which changed how we perform
debugging and profiling of Android applications. This broke Android
Studio's profiling tool.
Android Studio's profiling tool has the run-as spawned application
connect to an app created unix domain sockets in the
abstract namespace.
Note: this differs from system/sepolicy commit
3e5668f173, which allows connections in
the reverse direction (from app to runas_app). That change (b/123297648)
was made for a different part of Android Studio, Android Studio Instant
Run.
Addresses the following denial:
2019-02-08 00:59:14.563 15560-15560/? W/connector: type=1400 audit(0.0:645): avc: denied { connectto } for path=00436C69656E74 scontext=u:r:runas_app:s0:c188,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c188,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.hellojni
(hex decode of 00436C69656E74 is "Client")
2019-01-31 17:25:16.060 19975-19975/? W/transport: type=1400 audit(0.0:8146): avc: denied { connectto } for path=00416E64726F696453747564696F5472616E73706F72744167656E743139383839 scontext=u:r:runas_app:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.android.displayingbitmaps
(hex decode of
00416E64726F696453747564696F5472616E73706F72744167656E743139383839
is "AndroidStudioTransportAgent19889")
Bug: 120445954
Test: manual
Change-Id: I9ca1c338dcbc75cb3fbd7bf93a348f9276363dc1
system/sepolicy commit ffa2b61330
introduced the runas_app SELinux domain, which changed how we perform
debugging of Android applications. This broke Android Studio's lldb.
From bugreport:
Debugging an app containing native code using ndk-gdb or Android
Studio's lldb currently fails. There is an selinux error in logcat
about a sigchld denial. Studio can still debug Java-only apps.
In Android Studio, starting the debugger on an app with native
code produces this selinux denial:
01-30 06:58:02.089 13449 13449 W lldb-server: type=1400 audit(0.0:831): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tcontext=u:r:runas_app:s0:c167,c256,c512,c768 tclass=process permissive=0 app=com.android.ndktestapp
With "set enforce 0", I also see a sigstop denial:
01-30 07:31:12.209 15672 15672 I lldb-server: type=1400 audit(0.0:1290): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c167,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c167,c256,c512,c768 tclass=process permissive=1 app=com.android.ndktestapp
In gdb-server.log, Studio reports this error while trying to start lldb-server:
1548831482.091491938 GDBRemoteCommunicationServerLLGS::Handle_vAttach attempting to attach to pid 13379
1548831482.091519117 GDBRemoteCommunicationServerLLGS::AttachToProcess pid 13379
1548831482.092242956 GDBRemoteCommunicationServerLLGS::Handle_vAttach failed to attach to pid 13379: Permission denied
Using ndk-gdb (e.g. on the NdkGdbSample) produces the same sort
of selinux denial:
01-30 07:11:26.742 13926 13926 W arm64-gdbserver: type=1400 audit(0.0:833): avc: denied { sigchld } for scontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tcontext=u:r:runas_app:s0:c166,c256,c512,c768 tclass=process permissive=0 app=com.android.developer.ndkgdbsample
If I use "setenforce 0", I see more denials logged (signal and
sigstop):
01-30 07:30:23.346 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1287): avc: denied { signal } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample
01-30 07:30:23.349 15478 15478 I arm64-gdbserver: type=1400 audit(0.0:1288): avc: denied { sigstop } for scontext=u:r:runas_app:s0:c166,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c166,c256,c512,c768 tclass=process permissive=1 app=com.android.developer.ndkgdbsample
ndk-gdb times out and prints an error:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ /x/android-ndk-r19/ndk-gdb --launch
Redirecting gdbserver output to /tmp/gdbclient.log
...
Error: unable to connect to device.
Remote communication error. Target disconnected.: Connection reset by peer.
gdbclient.log shows that gdbserver hasn't started listening to its Unix socket yet:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log
Attached; pid = 14232
Normal output looks like this:
rprichard@cashew:/x/ndk/ndk/samples/NdkGdbSample$ cat /tmp/gdbclient.log
Attached; pid = 27799
Listening on Unix domain socket '/data/data/com.android.developer.ndkgdbsample/debug_socket'
Remote debugging from host 127.0.0.0
Test: compiles and builds
Bug: 123612207
Change-Id: Ia9a711cc54cc044c0817a7c17eb4506015adb393
runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile
debuggable apps. But it misses permissions to ptrace app processes and
read /proc/<app_pid> directory.
Bug: none
Test: build and boot marlin.
Test: run lldb and simpleperf on apps with target sdk version 24-29.
Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0
Remove the ability for applications to dlopen() executable code from
their home directory for newer API versions. API versions <= 28 are
uneffected by this change.
Bug: 112357170
Test: cts-tradefed run cts -m CtsRenderscriptTestCases
Change-Id: I1d7f3a1015d54b8610d1c561f38a1a3c2bcf79e4
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.
Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
