Commit graph

83 commits

Author SHA1 Message Date
Roopa Sattiraju
f227d0d99e Changing selinux policy for privapps for new certs.
Bug: 220807590
Test: build and boot
Change-Id: Ib24fed5e4980b0c8bb4df658a961346c5b4730ad
2022-04-05 17:31:49 -07:00
Nikita Ioffe
e2da633ef7 Rename SupplementalProcess to SdkSandbox
Ignore-AOSP-First: sepolicy is not in aosp, yet
Bug: 220320098
Test: presubmit
Change-Id: I9fb98e0caee75bdaaa35d11d174004505f236799
2022-02-23 20:44:20 +00:00
Samiul Islam
76935bdef5 Add new label for supplemental data
Supplemental data is separate from app data and only supplemental
process should have access to these directories.

This CL creates a new label for such data and updates the seapp_context
to assign correct label from installd.

The new label will be applied as follows:

/data/user/0/supplemental                   #system_data_file
/data/user/0/supplemental/<app-name>        #system_data_file
/data/user/0/supplemental/<app-name>/shared #supplemental_app_data_file

Bug: 217543371
Bug: 217559719
Test: atest SupplementalProcessStorageHostTest
      - #testSelinuxLabel_SharedData
      - #testSupplementalDataAppDirectory_SharedStorageIsUsable
Ignore-AOSP-First: Feature is being developed in internal branch
Change-Id: I6572a7a5c46c52c9421d0e9c9fc653ddbd6de145
2022-02-15 18:36:58 +00:00
Kevin Jeon
4241e001e2 Make Traceur seapp_context reflect platform status
Because Traceur is being signed with the platform key in aosp/1961100,
the platform seinfo identifier is being added to Traceur so that SELinux
will correctly identify it as a platform app.

Bug: 209476712
Test: - Checked that Traceur can still take normal and long traces on
        AOSP userdebug and internal user/userdebug.
      - Checked that the Traceur app is now located in /system/app/
	instead of /system/priv-app/.
Ignore-AOSP-First: There are changes in internal that cause merge
                   conflicts when attempting to add this change to AOSP.
                   After this change is merged in internal, it will be
                   added to AOSP with the Merged-In tag.
Change-Id: Ibe7881d48798e3b71bb40e566fa8243cbb630b04
2022-01-31 17:57:54 +00:00
Rafay Kamran
bae084a7e1 Merge changes from topic "supplemental_process_sepolicy"
* changes:
  Enable supplemental_process context for com.android.supplemental.process
  Added supplemental key to the sepolicy
2021-12-13 14:19:08 +00:00
Alan Stokes
665c295efc Restrict system_server_startup domain
This seems like an oversight when system_server_startup was
introduced (commit caf42d615d).

Test: Presubmits
Change-Id: Ia371caa8dfc2c250d6ca6f571cf002e25703e793
2021-11-26 11:41:51 +00:00
RafayKamran
f3bdc0bcd4 Enable supplemental_process context for com.android.supplemental.process
Note that this requires the supplemental process app to be signed with
the supplemental process key, also added neverallow rule to ensure
supplemental_process always runs in the correct domain

Bug: 203670791
Test: Device boots, attempted to let supplemental_process run in an incorrect domain and it failed as expected, signed test app and verified that app runs in correct selinux domain
adb shell ps -eZ | grep supplemental

Ignore-AOSP-First: Feature is developed in internal branch

Change-Id: I478c9a16032dc1f1286f5295fc080cbe574f09c9
2021-11-23 11:02:42 +00:00
Bram Bonné
ea5460ab6e untrusted_app_30: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=32 including:
- No RTM_GETNEIGH on netlink route sockets.
- No RTM_GETNEIGHTBL on netlink route sockets.

Bug: 171572148
Test: atest NetworkInterfaceTest
Test: atest bionic-unit-tests-static
Test: atest CtsSelinuxTargetSdkCurrentTestCases
Test: atest CtsSelinuxTargetSdk30TestCases
Test: atest CtsSelinuxTargetSdk29TestCases
Test: atest CtsSelinuxTargetSdk28TestCases
Test: atest CtsSelinuxTargetSdk27TestCases
Test: atest CompatChangesSelinuxTest
Test: atest NetlinkSocketTest
Change-Id: I2167e6cd564854c2656ee06c2202cfff2b727af5
2021-07-05 11:42:31 +02:00
Jeff Vander Stoep
35779f082f seapp_contexts: Remove unused selectors
These have never been used in AOSP. Looking at ~10,000 Android
build images confirms that these are not used elsewhere within
the Android ecosystem.

Bug: 192532348
Test: build (failures here would be at build-time)
Change-Id: I787b14b531df31fbb9995156eb2e84719b7c90da
2021-07-01 10:51:12 +02:00
Jeff Vander Stoep
538e0d6d0e Revert "priv_app: use per-app selinux contexts"
There's some fragility in how selinux contexts are assigned
to apps with sharedUserId. As a result, some apps which share
a UID can end up in separate selinux domains. This causes bugs
when part of the app has the levelFrom=all categories set, and
other parts only have levelFrom=user resulting in an mls category
mismatch. Until this is fixed, revert back to using levelFrom=user
for priv_app.

This reverts commit 4e7769e040.
Bug: 188141923
Test: com.google.android.gts.devicepolicy.DeviceOwnerTest#testPendingSystemUpdate

Change-Id: Ic4256f9056f2c218ca94628d0707eb893f83fa5a
2021-06-07 14:28:34 +02:00
Max Bires
23f0f3b28a SEPolicy for RemoteProvisioning App
This change adds the SEPolicy changes required to support the remote
provisioning flow. The notable additions are specifically labeling the
remote provisioning app and giving it access to find the remote
provisioning service which is added in keystore. It also requires
network access in order to communicate to the provisioning servers.

This functionality is extremely narrow to the point that it seems worth
it to define a separate domain for this app, rather than add this in to
the priv_app or platform_app permission files. Since this app also
communicates with the network, it also seems advantageous to limit its
permissions only to what is absolutely necessary to perform its
function.

Test: No denials!
Change-Id: I602c12365a575d914afc91f55e6a9b6aa2e14189
2021-02-08 01:33:12 -08:00
markchien
48c600fce1 Allow network_stack to update eBPF map
Bug: 173167302
Test: m
Change-Id: I7e7fcbcada905601cf08bf99fcdeb7e61c6effae
2020-12-02 00:38:25 +00:00
Alan Stokes
f8ad33985d Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

This mostly reverts the revert in commit
b01e1d97bf, restoring commit
27e0c740f1. Changes to check_seapp to
enforce use of app_data_file_type is omitted, to be included in a
following CL.

Test: Presubmits
Bug: 171795911
Change-Id: I02b31e7b3d5634c94763387284b5a154fe5b71b4
2020-11-11 14:43:36 +00:00
Alan Stokes
b01e1d97bf Revert "Introduce app_data_file_type attribute."
This reverts commit 27e0c740f1.

Reason for revert: b/172926597

Change-Id: Id2443446cbdf51dc05b303028377895b9cf2a09e
2020-11-10 18:02:14 +00:00
Alan Stokes
27e0c740f1 Introduce app_data_file_type attribute.
This gives us an easy way for the policy to refer to all existing or
future types used for app private data files in type= assignments in
seapp_contexts.

Apply the label to all the existing types, then refactor rules to use
the new attribute.

This is intended as a pure refactoring, except that:
- Some neverallow rules are extended to cover types they previous
omitted;
- We allow iorap_inode2filename limited access to shell_data_file and
  nfc_data_file;
- We allow zygote limited access to system_app_data_file.

Also extend check_seapp to check that all types specified in
seapp_contexts files have the attribute, to ensure that the neverallow
rules apply to them. As a small bonus, also verify that domain and
type values are actually types not attributes.

Test: Presubmits
Test: Manual: specify an invalid type, build breaks.
Bug: 171795911
Change-Id: Iab6018af449dab3b407824e635dc62e3d81e07c9
2020-11-09 11:04:02 +00:00
Alan Stokes
c7229c760f Make shared_relro levelFrom=all.
Also make shared_relro_file mlstrustedobject to ensure these files can
still be read by any app in any user.

Bug: 170622707
Test: Manual: delete the files, check they are re-created and accessible.
Test: Manual: no denials seen
Test: Presubmits
Change-Id: Icce4ee858219e3fd0e307f3edfb3c66005872a45
2020-10-12 14:43:01 +01:00
Collin Fijalkovich
71af2b4cdd Merge "Make traceur seapp_context reflect privapp status" 2020-09-24 21:08:09 +00:00
Collin Fijalkovich
057c7d60dc Make traceur seapp_context reflect privapp status
In moving Traceur from being signed with the platform key to privapp
status, we need to adjust how SELinux identifies the Traceur
app_context. We remove the platform seinfo identifier since Traceur is
no longer a platform app, and identify it as a privapp.

Bug: 166768816
Test: Build user and userdebug versions, tested regular and long tracing
functionality

Change-Id: Ie0b198a0caa5c3a074f5a275c7eb95e37671d60f
2020-08-28 16:10:36 -07:00
Ashwini Oruganti
706aa4b165 Actually route PermissionController to the right domain am: b3bffe88ab am: a8ac523363
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1336070

Change-Id: I64ef366b3049b50fa064f5c5de86ab718a6e3f6c
2020-06-15 19:51:06 +00:00
Ashwini Oruganti
b3bffe88ab Actually route PermissionController to the right domain
com.android.permissioncontroller was getting routed to platform_app
since specified seinfo takes precedence over unspecified seinfo. This
change adds seinfo=platform to the rule for
com.android.permissioncontroller so it correctly runs in the
permissioncontroller_app domain.

Bug: 158953123
Test: Treehugger + android.security.cts.SELinuxHostTest#testPermissionControllerDomain
Change-Id: I721fbf43a9774ed11414dd084bedaeb7216a76dd
2020-06-15 11:19:44 -07:00
Martijn Coenen
d40dfdc4c0 Don't give uid-based categories to app_zygote and isolated processes.
The mapping of UIDs to categories can only take 16 bits, yet isolated
processes start at UID 90000. Additionally, the main purpose of these
categories was to isolate app-private storage, but since isolated
processes don't have access to app-private storage anyway, removing them
doesn't hurt.

The upside is that this allows us to remove mIstrustedsubject from the
app_zygote domain, which prevents app code running in that context from
assigning itself arbitrary categories.

Bug: 157598026
Test: inspect categories of app_zygote and children; verify Chrome works
Merged-In: Idfa8625d939cf30f3683436949bb4f335851622a
Change-Id: Idfa8625d939cf30f3683436949bb4f335851622a
2020-06-09 12:32:59 +00:00
Jeff Vander Stoep
4e7769e040 priv_app: use per-app selinux contexts
Enforce for priv-apps with targetSdkVersion>=31.

This is the same restriction enforced on third party apps with
targetSdkVersion>=28 in Android 9.0. See:
https://developer.android.com/about/versions/pie/android-9.0-changes-28#per-app-selinux

This change allows selinux to better enforce the application sandbox
providing better defense-in-depth for priv-apps.
In particular it prevents apps running in the priv_app domain
from sharing their private data directory by granting
world-accessible unix permissions.

Bug: 142672293
Test: Build, boot, check for denials.
Change-Id: If2953eb990fdc24aaccf29be3394a9ee1f02185c
2020-05-06 13:17:28 +02:00
Jeff Vander Stoep
fcf12fd723 mediaprovider: fixed sharedUserId bug
Apps signed with the media key share a UID (except
com.android.providers.media.module). However, some
run in the priv_app selinux context, and others run in
the mediaprovider context. That's a bug. Apps which share
a UID should always share an selinux domain. Assign all apps
with the seinfo=media to the mediaprovider selinux domain.

This moves the following packages from the priv_app to the
mediaprovider domain:
com.android.providers.downloads
com.android.providers.downloads.ui
com.android.mtp
com.android.soundpicker

Bug: 154614768
Test: atest CtsDownloadManagerApi28
Change-Id: I21bf68de525fff87c3a02aa59fba3a8d86be5324
2020-05-05 17:51:17 +00:00
Jeffrey Vander Stoep
7bf9669a6c Merge "Revert "mediaprovider: fixed sharedUserId bug"" 2020-04-23 17:36:28 +00:00
Jeffrey Vander Stoep
3b9683ff53 Revert "mediaprovider: fixed sharedUserId bug"
This reverts commit 2498d1c46e.

Reason for revert: b/154825574

Change-Id: I20ad5efc26fe076fb98503f59673892c491a1293
2020-04-23 17:33:55 +00:00
Jeffrey Vander Stoep
1705c1e9fa Merge "mediaprovider: fixed sharedUserId bug" 2020-04-23 12:03:15 +00:00
Ashwini Oruganti
efc3bdb255 Fix typo: s/com.google.android.gfs/com.google.android.gsf
Bug: 154597032
Test: TH
Change-Id: Ia8de313a9573649c456568abb3a8190dc2960bc3
2020-04-22 10:22:45 -07:00
Jeff Vander Stoep
2498d1c46e mediaprovider: fixed sharedUserId bug
All apps signed with the media key share a UID. However,
some run in the priv_app selinux context, and others run
in the mediaprovider context. That's a bug. Apps which share
a UID should always share an selinux domain. Assign all apps
with the seinfo=media to the mediaprovider selinux domain.

This moves the following packages from the priv_app to the
mediaprovider domain:
com.android.providers.downloads
com.android.providers.downloads.ui
com.android.mtp
com.android.soundpicker

Bug: 154614768
Test: atest CtsDownloadManagerApi28
Change-Id: I6f96142ef03101568abed670a0e32f952515a590
2020-04-22 15:47:27 +02:00
Ashwini Oruganti
4a1630133d Route com.google.android.gsf to gmscore_app
com.google.android.gms and com.google.android.gsf have a sharedUserId
but were being routed to two different domains:

com.google.android.gms 10145 0 /data/user/0/com.google.android.gms google:privapp:targetSdkVersion=10000
com.google.android.gsf 10145 0 /data/user/0/com.google.android.gsf google:privapp:targetSdkVersion=10000

This change routes them to the same domain: gmscore_app

Bug: 154597032
Test: TH
Change-Id: I0a309a687eb8608604cabf65b58763a1a3262153
2020-04-21 09:29:08 -07:00
Martijn Coenen
e3f1d5a314 Create new mediaprovider_app domain.
This is a domain for the MediaProvider mainline module. The
MediaProvider process is responsible for managing external storage, and
as such should be able to have full read/write access to it. It also
hosts a FUSE filesystem that allows other apps to access said storage in
a safe way. Finally, it needs to call some ioctl's to set project quota
on the lower filesystem correctly.

Bug: 141595441
Test: builds, mediaprovider module gets the correct domain
Change-Id: I0d705148774a1bbb59c927e267a484cb5c44f548
2020-02-04 16:53:18 +01:00
Jeff Vander Stoep
1f7ae8ee3f reland: untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: libcore.java.net.NetworkInterfaceTest#testGetNetworkInterfaces
Change-Id: I89553e48db3bc71f229c71fafeee9005703e5c0b
2020-01-22 09:47:53 +00:00
Santiago Seifert
1d241db7e5 Revert "untrusted_app_29: add new targetSdk domain"
This reverts commit a1aa2210a9.

Reason for revert: Potential culprit for Bug b/148049462 - verifying through Forrest before revert submission

Change-Id: Ibe4fa1dee84defde324deca87d9de24a1cc2911a
2020-01-21 11:35:24 +00:00
Jeff Vander Stoep
a1aa2210a9 untrusted_app_29: add new targetSdk domain
Enforce new requirements on app with targetSdkVersion=30 including:
- No bind() on netlink route sockets.
- No RTM_GETLINK on netlink route sockets.

Remove some of the repetitive descriptions in each untrusted_app_N.te
file, and instead refer to the description in
public/untrusted_app.te.

Bug: 141455849
Test: CtsSelinuxTargetSdkCurrentTestCases
Change-Id: Iad4d142c0c13615b4710d378bc1feca4d125b6cc
2020-01-20 15:31:52 +01:00
Treehugger Robot
d16a3968f3 Merge changes Ifa33dae9,I69ccc6af,Ibb4db9d9
* changes:
  Revert "sepolicy: Permission changes for new wifi mainline module"
  Revert "wifi_stack: Move to network_stack process"
  Revert "sepolicy(wifi): Allow audio service access from wifi"
2019-11-27 00:41:35 +00:00
Ashwini Oruganti
8f079fb0e2 Merge "Create a separate SELinux domain for gmscore" 2019-11-25 16:59:10 +00:00
Ashwini Oruganti
c46a7bc759 Create a separate SELinux domain for gmscore
This change creates a gmscore_app domain for gmscore. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update the gmscore_app rules
accordingly.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.gms runs in the gmscore_app domain. Tested different
flows on the Play Store app, e.g., create a new account, log in, update
an app, etc. and verified no new denials were generated.
Change-Id: Ie5cb2026f1427a21f25fde7e5bd00d82e859f9f3
2019-11-22 10:39:19 -08:00
Roshan Pius
d804a76d03 Revert "sepolicy: Permission changes for new wifi mainline module"
This reverts commit 3aa1c1725e.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: Ifa33dae971dccfd5d14991727e2f27d2398fdc74
2019-11-22 09:49:32 -08:00
Roshan Pius
a483b5df72 Revert "wifi_stack: Move to network_stack process"
This reverts commit 1086c7d71d.

Reason for revert: Wifi services no longer plan to be a separate
APK/process for mainline. Will instead become a jar loaded from Apex.

Bug: 144722612
Test: Device boots up & connects to wifi networks
Change-Id: I69ccc6afbe15db88f516cdc64e13d8cfdb0c743c
2019-11-22 09:48:54 -08:00
Ashwini Oruganti
288c14f137 PermissionController goes to the permissioncontroller_app domain
This change adds a rule for com.android.permissioncontroller to run in
the previously defined permissioncontroller_app.
com.android.permissioncontroller would require similar permissions to
com.google.android.permissioncontroller.

Bug: 142672293
Test: Green builds
Change-Id: I92e7175526380c0711f52fafe8d1f8d9531d07f8
2019-11-21 09:48:01 -08:00
Ashwini Oruganti
c77ff3727c Create a separate domain for VzwOmaTrigger
This creates a new vzwomatrigger_app domain. The domain is
currently in permissive mode (for userdebug and eng builds), while we
observe the SELinux denials generated and update permissions.
Bug: 142672293
Test: Build, flash, boot successfully

Change-Id: I552df772b66e8e7edb1ccee754d1ea8dd1acece0
2019-11-14 16:13:00 -08:00
Ashwini Oruganti
04f771dee4 Don't require seinfo for priv-apps
Relax the requirement to have both seinfo and name specified for
privapps. The original reason for requiring both was because, normally,
a package can only be uniquely specified by both name and signature,
otherwise package squatting could occur. However, privapps are
pre-installed, so the concerns about the potential for package squatting
are eliminated. This change will drastically simplify sepolicy
configuration for priv-apps.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller still  runs in the
permissioncontroller_app domain.
Change-Id: I5bb2bf84b9db616c4492bd1402550821c70fdd07
2019-11-06 08:37:03 -08:00
Ashwini Oruganti
9bc81125ef Create a separate domain for permissioncontroller
This creates an SELinux domain for permissioncontroller and moves it out of the
priv_app SELinux domain.

Bug: 142672293
Test: Flashed a device with this build and verified
com.google.android.permissioncontroller runs in the
permissioncontroller_app domain.
Change-Id: Ieb2e4cb806d18aaeb2e5c458e138975d1d5b64fe
2019-10-30 14:59:12 -07:00
Roshan Pius
1086c7d71d wifi_stack: Move to network_stack process
The wifi stack APK will run inside the network_stack process. So, move
the sepolicy rules for wifi stack inside the network stack rules.

Bug: 135691051
Test: Manual tests
- manual connect to wifi networks
- Remove networks
Test: Will send for ACTS wifi regression testing
Change-Id: I9d5da80852f22fa1d12b2dbbc76b9e06c1275310
(cherry-picked from b83abf7af3df64e0d3c1b22548f2344b55aece28)
2019-10-02 11:49:43 -07:00
Roshan Pius
3aa1c1725e sepolicy: Permission changes for new wifi mainline module
Move wifi services out of system_server into a separate APK/process.

Changes:
a) Created sepolicy for the new wifi apk.
b) The new APK will run with network_stack uid (eventually will be moved
to the same process).

Used 'audit2allow' tool to gather list of permissions required.

Note: The existing wifi related permissions in system_server is left
behind to allow the module to be loaded into system_server or
network_stack process depending on device configuration.

Bug: 113174748
Test: Device boots up and able to make wifi connection.
Test: Tested hotspot functionality.
Test: Ran WifiManagerTest & WifiSoftApTest ACTS tests locally.
Test: Will send for wifi regression tests.
Change-Id: Id19643a235bf0c28238f2729926b893ac2025b97
(cherry-picked from c7aa90091e6bec70a31a643cc4519a9a86fb0b38)
2019-07-16 13:30:15 -07:00
Nick Kralevich
795add585c Remove isV2App
This selector is no longer used.

Bug: 123605817
Bug: 111314398
Test: compiles and boots
Change-Id: I61bb6b9f17ba4534569bd4a1c0489023cdaf698d
2019-04-16 16:01:08 -07:00
Xiao Ma
c06f0f602a Allow the netowrk stack to access its own data files.
After moving IpMemoryStore service to network stack module(aosp/906907),
the following untracked SELinux denials are observed on boot.

W id.networkstack: type=1400 audit(0.0:63): avc: denied { write } for
name="com.android.networkstack" dev="sda13" ino=704810
scontext=u:r:network_stack:s0:c49,c260,c512,c768
tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0

Add radio_data_file type for network stack user configuration and
relevant permission to allow access to its data, as the network stack
is a privileged app.

Test: m -j passed
Change-Id: I6eab528714df6a17aae0cb546dcc3ad4bb21deea
2019-03-19 11:42:11 +09:00
Remi NGUYEN VAN
3b006d9bd4 sepolicy change for NetworkStack signature
Update the seinfo to the new network_stack seinfo, as the network stack
is now using its own certificate.
Remove the hard-coded package name, which may differ depending on
devices, and specify (uid, signature, priv-app) instead.

Bug: 124033493
Test: m
Change-Id: If3bbc21cf83f5d17406e9615833ee43011c9c9bc
2019-02-14 07:58:13 +09:00
Alan Stokes
6b576bd2fa Update seapp_contexts documentation comments.
Add some missing fields, document undocumented fields, update
precedence rules, and attempt to give slightly more context.

Test: Builds
Change-Id: Id106ebe3aa6c18697db82a775cc54ed07b6c1a57
2019-02-05 17:37:29 +00:00
Martijn Coenen
1bbda7e662 Initial sepolicy for app_zygote.
The application zygote is a new sort of zygote process that is a
child of the regular zygote. Each application zygote is tied to the
application for which it's launched. Once it's started, it will
pre-load some of the code for that specific application, much like
the regular zygote does for framework code.

Once the application zygote is up and running, it can spawn
isolated service processes that run in the isolated_app domain. These
services can then benefit from already having the relevant
application code and data pre-loaded.

The policy is largely the same as the webview_zygote domain,
however there are a few crucial points where the policy is different.

1) The app_zygote runs under the UID of the application that spawned
   it.
2) During app_zygote launch, it will call a callback that is
   controlled by the application, that allows the application to
   pre-load code and data that it thinks is relevant.

Especially point 2 is imporant: it means that untrusted code can run
in the app_zygote context. This context is severely limited, and the
main concern is around the setgid/setuid capabilities. Those conerns
are mitigated by installing a seccomp filter that only allows
setgid/setuid to be called in a safe range.

Bug: 111434506
Test: app_zygote can start and fork children without denials.
Change-Id: I1cc49ee0042d41e5ac6eb81d8f8a10ba448d4832
2019-01-21 08:24:41 +00:00
Yabin Cui
770a4f6539 Add permissions in runas_app domain to debug/profile debuggable apps.
runas_app domain is used by lldb/ndk-gdb/simpleperf to debug/profile
debuggable apps. But it misses permissions to ptrace app processes and
read /proc/<app_pid> directory.

Bug: none
Test: build and boot marlin.
Test: run lldb and simpleperf on apps with target sdk version 24-29.
Change-Id: I9e6f940ec81a8285eae8db3b77fb1251a25dedd0
2019-01-09 17:24:31 +00:00