runas.te - platform/external/sepolicy - Git at Google

 type runas, domain, mlstrustedsubject;
 type runas_exec, file_type;

 bool support_runas true;

 if (support_runas) {

 # ndk-gdb invokes adb shell ps to find the app PID.
 r_dir_file(shell, untrusted_app)
 dontaudit shell domain:dir r_dir_perms;
 dontaudit shell domain:file r_file_perms;

 # ndk-gdb invokes adb shell ls to check the app data dir.
 allow shell app_data_file:dir search;

 # ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
 allow shell untrusted_app:process sigkill;
 dontaudit shell self:capability { sys_ptrace kill };

 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
 allow runas shell:fd  use;
 allow runas devpts:chr_file { read write };

 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;

 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
 allow runas self:capability dac_read_search;
 allow runas app_data_file:dir { getattr search };

 # run-as switches to the app UID/GID.
 allow runas self:capability { setuid setgid };

 # run-as switches to the app security context.
 allow runas rootfs:file r_file_perms; # read /seapp_contexts
 selinux_check_context(runas) # validate context
 allow runas untrusted_app:process dyntransition; # setcon

 # run-as runs lib/gdbserver from the app data dir.
 allow untrusted_app system_data_file:file rx_file_perms;

 # run-as may also run sh or system commands.
 allow untrusted_app shell_exec:file rx_file_perms;
 allow untrusted_app system_file:file rx_file_perms;

 # gdbserver reads the zygote.
 allow untrusted_app zygote_exec:file r_file_perms;

 # (grand)child death notification.
 allow untrusted_app shell:process sigchld;

 # child shell or gdbserver pty access.
 allow untrusted_app devpts:chr_file { getattr read write };

 # gdbserver creates a socket in the app data dir.
 allow untrusted_app app_data_file:sock_file { create unlink };

 # ndk-gdb invokes adb forward to forward the gdbserver socket.
 allow adbd app_data_file:dir search;
 allow adbd app_data_file:sock_file write;
 allow adbd untrusted_app:unix_stream_socket connectto;

 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;

 }
	type runas, domain, mlstrustedsubject;
	type runas_exec, file_type;

	bool support_runas true;

	if (support_runas) {

	# ndk-gdb invokes adb shell ps to find the app PID.
	r_dir_file(shell, untrusted_app)
	dontaudit shell domain:dir r_dir_perms;
	dontaudit shell domain:file r_file_perms;

	# ndk-gdb invokes adb shell ls to check the app data dir.
	allow shell app_data_file:dir search;

	# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
	allow shell untrusted_app:process sigkill;
	dontaudit shell self:capability { sys_ptrace kill };

	# ndk-gdb invokes adb shell run-as.
	domain_auto_trans(shell, runas_exec, runas)
	allow runas shell:fd use;
	allow runas devpts:chr_file { read write };

	# run-as reads package information.
	allow runas system_data_file:file r_file_perms;

	# run-as checks and changes to the app data dir.
	dontaudit runas self:capability dac_override;
	allow runas self:capability dac_read_search;
	allow runas app_data_file:dir { getattr search };

	# run-as switches to the app UID/GID.
	allow runas self:capability { setuid setgid };

	# run-as switches to the app security context.
	allow runas rootfs:file r_file_perms; # read /seapp_contexts
	selinux_check_context(runas) # validate context
	allow runas untrusted_app:process dyntransition; # setcon

	# run-as runs lib/gdbserver from the app data dir.
	allow untrusted_app system_data_file:file rx_file_perms;

	# run-as may also run sh or system commands.
	allow untrusted_app shell_exec:file rx_file_perms;
	allow untrusted_app system_file:file rx_file_perms;

	# gdbserver reads the zygote.
	allow untrusted_app zygote_exec:file r_file_perms;

	# (grand)child death notification.
	allow untrusted_app shell:process sigchld;

	# child shell or gdbserver pty access.
	allow untrusted_app devpts:chr_file { getattr read write };

	# gdbserver creates a socket in the app data dir.
	allow untrusted_app app_data_file:sock_file { create unlink };

	# ndk-gdb invokes adb forward to forward the gdbserver socket.
	allow adbd app_data_file:dir search;
	allow adbd app_data_file:sock_file write;
	allow adbd untrusted_app:unix_stream_socket connectto;

	# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
	allow adbd zygote_exec:file r_file_perms;
	allow adbd system_file:file r_file_perms;

	}