356f4be679
Writing to the /proc/self/attr files (encapsulated by the libselinux set*con functions) enables a program to request a specific security context for various operations instead of the policy-defined defaults. The security context specified using these calls is checked by an operation-specific permission, e.g. dyntransition for setcon, transition for setexeccon, create for setfscreatecon or setsockcreatecon, but the ability to request a context at all is controlled by a process permission. Omit these permissions from domain.te and only add them back where required so that only specific domains can even request a context other than the default defined by the policy. Change-Id: I6a2fb1279318625a80f3ea8e3f0932bdbe6df676 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
25 lines
870 B
Text
25 lines
870 B
Text
type runas, domain, mlstrustedsubject;
|
|
type runas_exec, exec_type, file_type;
|
|
|
|
# ndk-gdb invokes adb shell run-as.
|
|
domain_auto_trans(shell, runas_exec, runas)
|
|
allow runas adbd:process sigchld;
|
|
allow runas shell:fd use;
|
|
allow runas devpts:chr_file { read write ioctl };
|
|
|
|
# run-as reads package information.
|
|
allow runas system_data_file:file r_file_perms;
|
|
|
|
# run-as checks and changes to the app data dir.
|
|
dontaudit runas self:capability dac_override;
|
|
allow runas app_data_file:dir { getattr search };
|
|
|
|
# run-as switches to the app UID/GID.
|
|
allow runas self:capability { setuid setgid };
|
|
|
|
# run-as switches to the app security context.
|
|
# read /seapp_contexts and /data/security/seapp_contexts
|
|
security_access_policy(runas)
|
|
selinux_check_context(runas) # validate context
|
|
allow runas self:process setcurrent;
|
|
allow runas non_system_app_set:process dyntransition; # setcon
|