diff options
| author | Stephen Smalley <sds@tycho.nsa.gov> | 2012-11-13 13:00:05 -0500 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2012-11-27 10:05:42 -0800 |
| commit | e8848726553e3abee6033200c98a657c9ca7cdb8 (patch) | |
| tree | 525a1e762f5b6a6bd46223aa82c8edd90c9d0929 /runas.te | |
| parent | fdaa7869a5541b55413f59845dc5f7c56bab0614 (diff) | |
| download | android_external_sepolicy-e8848726553e3abee6033200c98a657c9ca7cdb8.tar.gz android_external_sepolicy-e8848726553e3abee6033200c98a657c9ca7cdb8.tar.bz2 android_external_sepolicy-e8848726553e3abee6033200c98a657c9ca7cdb8.zip | |
Add policy for run-as program.
Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.
Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'runas.te')
| -rw-r--r-- | runas.te | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/runas.te b/runas.te new file mode 100644 index 0000000..0a207e6 --- /dev/null +++ b/runas.te @@ -0,0 +1,69 @@ +type runas, domain, mlstrustedsubject; +type runas_exec, file_type; + +bool support_runas true; + +if (support_runas) { + +# ndk-gdb invokes adb shell ps to find the app PID. +r_dir_file(shell, untrusted_app) +dontaudit shell domain:dir r_dir_perms; +dontaudit shell domain:file r_file_perms; + +# ndk-gdb invokes adb shell ls to check the app data dir. +allow shell app_data_file:dir search; + +# ndk-gdb invokes adb shell kill -9 to kill the gdbserver. +allow shell untrusted_app:process sigkill; +dontaudit shell self:capability { sys_ptrace kill }; + +# ndk-gdb invokes adb shell run-as. +domain_auto_trans(shell, runas_exec, runas) +allow runas shell:fd use; +allow runas devpts:chr_file { read write }; + +# run-as reads package information. +allow runas system_data_file:file r_file_perms; + +# run-as checks and changes to the app data dir. +dontaudit runas self:capability dac_override; +allow runas self:capability dac_read_search; +allow runas app_data_file:dir { getattr search }; + +# run-as switches to the app UID/GID. +allow runas self:capability { setuid setgid }; + +# run-as switches to the app security context. +allow runas rootfs:file r_file_perms; # read /seapp_contexts +selinux_check_context(runas) # validate context +allow runas untrusted_app:process dyntransition; # setcon + +# run-as runs lib/gdbserver from the app data dir. +allow untrusted_app system_data_file:file rx_file_perms; + +# run-as may also run sh or system commands. +allow untrusted_app shell_exec:file rx_file_perms; +allow untrusted_app system_file:file rx_file_perms; + +# gdbserver reads the zygote. +allow untrusted_app zygote_exec:file r_file_perms; + +# (grand)child death notification. +allow untrusted_app shell:process sigchld; + +# child shell or gdbserver pty access. +allow untrusted_app devpts:chr_file { getattr read write }; + +# gdbserver creates a socket in the app data dir. +allow untrusted_app app_data_file:sock_file { create unlink }; + +# ndk-gdb invokes adb forward to forward the gdbserver socket. +allow adbd app_data_file:dir search; +allow adbd app_data_file:sock_file write; +allow adbd untrusted_app:unix_stream_socket connectto; + +# ndk-gdb invokes adb pull of app_process, linker, and libc.so. +allow adbd zygote_exec:file r_file_perms; +allow adbd system_file:file r_file_perms; + +} |