platform_system_sepolicy/runas.te
William Roberts 6c4c27e626 Give domains read access to security_file domain.
/data/security is another location that policy
files can reside. In fact, these policy files
take precedence over their rootfs counterparts
under certain circumstances. Give the appropriate
players the rights to read these policy files.

Change-Id: I9951c808ca97c2e35a9adb717ce5cb98cda24c41
2013-04-05 19:34:30 +00:00

67 lines
2.1 KiB
Text

type runas, domain, mlstrustedsubject;
type runas_exec, file_type;
bool support_runas true;
if (support_runas) {
# ndk-gdb invokes adb shell ps to find the app PID.
r_dir_file(shell, untrusted_app)
dontaudit shell domain:dir r_dir_perms;
dontaudit shell domain:file r_file_perms;
# ndk-gdb invokes adb shell ls to check the app data dir.
allow shell app_data_file:dir search;
# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
allow shell untrusted_app:process sigkill;
dontaudit shell self:capability { sys_ptrace kill };
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
allow runas adbd:process sigchld;
allow runas shell:fd use;
allow runas devpts:chr_file { read write ioctl };
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
# run-as checks and changes to the app data dir.
dontaudit runas self:capability dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
allow runas self:capability { setuid setgid };
# run-as switches to the app security context.
# read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(runas)
selinux_check_context(runas) # validate context
allow runas untrusted_app:process dyntransition; # setcon
# run-as runs lib/gdbserver from the app data dir.
allow untrusted_app system_data_file:file rx_file_perms;
# gdbserver reads the zygote.
allow untrusted_app zygote_exec:file r_file_perms;
# (grand)child death notification.
allow untrusted_app shell:process sigchld;
allow untrusted_app adbd:process sigchld;
# child shell or gdbserver pty access.
allow untrusted_app devpts:chr_file { getattr read write ioctl };
# gdbserver creates a socket in the app data dir.
allow untrusted_app app_data_file:sock_file { create unlink };
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd untrusted_app:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
}