tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/runas_app.te
Jeff Vander Stoep 5a6c0a755d runas_app: allow sigkill of untrusted_app 
It is safe to grant this permission because:
 * UID restrictions will prevent killing arbitrary apps.
 * Runas enforces restrictions preventing transitioning to UIDs of apps
   that are not debuggable.

Addresses:
avc: denied { sigkill } for scontext=u:r:runas_app:s0:c87,c257,c512,c768
tcontext=u:r:untrusted_app:s0:c87,c257,c512,c768 tclass=process
permissive=0 app=com.example.myapplication

Bug: 263379256
Test: Build and deploy any Android app in debug mode
   adb shell
   run-as com.example.myapplication
   kill -SIGKILL <pid>
Change-Id: I1e4588a9a1c7ee71e0396fbd1ea5e1b24720bd62
2023-01-20 09:02:19 +01:00

32 lines
1.4 KiB
Text
Raw Blame History

typeattribute runas_app coredomain;
app_domain(runas_app)
untrusted_app_domain(runas_app)
net_domain(runas_app)
bluetooth_domain(runas_app)
# The ability to call exec() on files in the apps home directories
# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;
# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
# Allow executing system image simpleperf without a domain transition.
allow runas_app simpleperf_exec:file rx_file_perms;
# Suppress denial logspam when simpleperf is trying to find a matching process
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
# the same domain as their respective process, most of which this domain is not
# allowed to see.
dontaudit runas_app domain:dir search;
# Allow runas_app to call perf_event_open for profiling debuggable app
# processes, but not the whole system.
allow runas_app self:perf_event { open read write kernel };
neverallow runas_app self:perf_event ~{ open read write kernel };
Reference in a new issue View git blame Copy permalink