34ad1d0bc1
Bug: 288517951 Test: build Change-Id: I682e553ec8090281ded447780be41a8ea222b084 Merged-In: I15bf3817a8a6867d52f7963a04a69e543a9801e9
32 lines
1.4 KiB
Text
32 lines
1.4 KiB
Text
typeattribute runas_app coredomain;
|
|
|
|
app_domain(runas_app)
|
|
untrusted_app_domain(runas_app)
|
|
net_domain(runas_app)
|
|
bluetooth_domain(runas_app)
|
|
|
|
# The ability to call exec() on files in the apps home directories
|
|
# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
|
|
# which are copied to the apps home directories.
|
|
allow runas_app app_data_file:file execute_no_trans;
|
|
|
|
# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
|
|
r_dir_file(runas_app, untrusted_app_all)
|
|
|
|
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
|
|
allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
|
|
allow runas_app untrusted_app_all:unix_stream_socket connectto;
|
|
|
|
# Allow executing system image simpleperf without a domain transition.
|
|
allow runas_app simpleperf_exec:file rx_file_perms;
|
|
|
|
# Suppress denial logspam when simpleperf is trying to find a matching process
|
|
# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
|
|
# the same domain as their respective process, most of which this domain is not
|
|
# allowed to see.
|
|
dontaudit runas_app domain:dir search;
|
|
|
|
# Allow runas_app to call perf_event_open for profiling debuggable app
|
|
# processes, but not the whole system.
|
|
allow runas_app self:perf_event { open read write kernel };
|
|
neverallow runas_app self:perf_event ~{ open read write kernel };
|