Add policy for run-as program.

Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

5 files changed, 76 insertions, 7 deletions

diff --git a/file.te b/file.te
index 6bbda3a..64c8de6 100644
--- a/file.te
+++ b/file.te
@@ -12,7 +12,7 @@ type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type;
+type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
diff --git a/file_contexts b/file_contexts
index 43e532a..976783f 100644
--- a/file_contexts
+++ b/file_contexts
@@ -89,6 +89,7 @@
 /system/bin/ash		u:object_r:shell_exec:s0
 /system/bin/mksh	u:object_r:shell_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
+/system/bin/run-as	--	u:object_r:runas_exec:s0
 /system/bin/app_process	u:object_r:zygote_exec:s0
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
diff --git a/mls b/mls
index a4c214b..21eede5 100644
--- a/mls
+++ b/mls
@@ -34,11 +34,10 @@ mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit
 # Socket constraints
 #
 
-# These permissions are between the process and its local socket,
-# not between a process/socket and its peer.
-# Equivalence is the normal situation; anything else requires trust.
-mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown }
-	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+# Create/relabel operations:  Subject must be equivalent to object unless
+# the subject is trusted.  Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
 
 # Datagram send: Sender must be dominated by receiver unless one of them is
 # trusted.
diff --git a/runas.te b/runas.te
new file mode 100644
index 0000000..0a207e6
--- /dev/null
+++ b/runas.te
@@ -0,0 +1,69 @@
+type runas, domain, mlstrustedsubject;
+type runas_exec, file_type;
+
+bool support_runas true;
+
+if (support_runas) {
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, untrusted_app)
+dontaudit shell domain:dir r_dir_perms;
+dontaudit shell domain:file r_file_perms;
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
+
+# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
+allow shell untrusted_app:process sigkill;
+dontaudit shell self:capability { sys_ptrace kill };
+
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
+allow runas shell:fd  use;
+allow runas devpts:chr_file { read write };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas self:capability dac_read_search;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+allow runas rootfs:file r_file_perms; # read /seapp_contexts
+selinux_check_context(runas) # validate context
+allow runas untrusted_app:process dyntransition; # setcon
+
+# run-as runs lib/gdbserver from the app data dir.
+allow untrusted_app system_data_file:file rx_file_perms;
+
+# run-as may also run sh or system commands.
+allow untrusted_app shell_exec:file rx_file_perms;
+allow untrusted_app system_file:file rx_file_perms;
+
+# gdbserver reads the zygote.
+allow untrusted_app zygote_exec:file r_file_perms;
+
+# (grand)child death notification.
+allow untrusted_app shell:process sigchld;
+
+# child shell or gdbserver pty access.
+allow untrusted_app devpts:chr_file { getattr read write };
+
+# gdbserver creates a socket in the app data dir.
+allow untrusted_app app_data_file:sock_file { create unlink };
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd untrusted_app:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+}
diff --git a/shell.te b/shell.te
index 6e5329f..1f370d1 100644
--- a/shell.te
+++ b/shell.te
@@ -1,4 +1,4 @@
-type shell, domain;
+type shell, domain, mlstrustedsubject;
 type shell_exec, file_type;
 domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;