tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/runas_app.te
Nick Kralevich bafea958fb allow runas_app untrusted_app_all:unix_stream_socket connectto 
system/sepolicy commit ffa2b61330
introduced the runas_app SELinux domain, which changed how we perform
debugging and profiling of Android applications. This broke Android
Studio's profiling tool.

Android Studio's profiling tool has the run-as spawned application
connect to an app created unix domain sockets in the
abstract namespace.

Note: this differs from system/sepolicy commit
3e5668f173, which allows connections in
the reverse direction (from app to runas_app). That change (b/123297648)
was made for a different part of Android Studio, Android Studio Instant
Run.

Addresses the following denial:

2019-02-08 00:59:14.563 15560-15560/? W/connector: type=1400 audit(0.0:645): avc: denied { connectto } for path=00436C69656E74 scontext=u:r:runas_app:s0:c188,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c188,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.hellojni

(hex decode of 00436C69656E74 is "Client")

2019-01-31 17:25:16.060 19975-19975/? W/transport: type=1400 audit(0.0:8146): avc: denied { connectto } for path=00416E64726F696453747564696F5472616E73706F72744167656E743139383839 scontext=u:r:runas_app:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.android.displayingbitmaps

(hex decode of
00416E64726F696453747564696F5472616E73706F72744167656E743139383839
is "AndroidStudioTransportAgent19889")

Bug: 120445954
Test: manual
Change-Id: I9ca1c338dcbc75cb3fbd7bf93a348f9276363dc1
2019-02-08 11:35:50 -08:00

18 lines
717 B
Text
Raw Blame History

typeattribute runas_app coredomain;
app_domain(runas_app)
untrusted_app_domain(runas_app)
net_domain(runas_app)
bluetooth_domain(runas_app)
# The ability to call exec() on files in the apps home directories
# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
# which are copied to the apps home directories.
allow runas_app app_data_file:file execute_no_trans;
# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
r_dir_file(runas_app, untrusted_app_all)
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
allow runas_app untrusted_app_all:unix_stream_socket connectto;
Reference in a new issue View git blame Copy permalink