Stephen Smalley | e884872 | 2012-11-13 13:00:05 -0500 | [diff] [blame] | 1 | type runas, domain, mlstrustedsubject; |
| 2 | type runas_exec, file_type; |
| 3 | |
| 4 | bool support_runas true; |
| 5 | |
| 6 | if (support_runas) { |
| 7 | |
| 8 | # ndk-gdb invokes adb shell ps to find the app PID. |
| 9 | r_dir_file(shell, untrusted_app) |
| 10 | dontaudit shell domain:dir r_dir_perms; |
| 11 | dontaudit shell domain:file r_file_perms; |
| 12 | |
| 13 | # ndk-gdb invokes adb shell ls to check the app data dir. |
| 14 | allow shell app_data_file:dir search; |
| 15 | |
| 16 | # ndk-gdb invokes adb shell kill -9 to kill the gdbserver. |
| 17 | allow shell untrusted_app:process sigkill; |
| 18 | dontaudit shell self:capability { sys_ptrace kill }; |
| 19 | |
| 20 | # ndk-gdb invokes adb shell run-as. |
| 21 | domain_auto_trans(shell, runas_exec, runas) |
| 22 | allow runas shell:fd use; |
| 23 | allow runas devpts:chr_file { read write }; |
| 24 | |
| 25 | # run-as reads package information. |
| 26 | allow runas system_data_file:file r_file_perms; |
| 27 | |
| 28 | # run-as checks and changes to the app data dir. |
| 29 | dontaudit runas self:capability dac_override; |
| 30 | allow runas self:capability dac_read_search; |
| 31 | allow runas app_data_file:dir { getattr search }; |
| 32 | |
| 33 | # run-as switches to the app UID/GID. |
| 34 | allow runas self:capability { setuid setgid }; |
| 35 | |
| 36 | # run-as switches to the app security context. |
| 37 | allow runas rootfs:file r_file_perms; # read /seapp_contexts |
| 38 | selinux_check_context(runas) # validate context |
| 39 | allow runas untrusted_app:process dyntransition; # setcon |
| 40 | |
| 41 | # run-as runs lib/gdbserver from the app data dir. |
| 42 | allow untrusted_app system_data_file:file rx_file_perms; |
| 43 | |
| 44 | # run-as may also run sh or system commands. |
| 45 | allow untrusted_app shell_exec:file rx_file_perms; |
| 46 | allow untrusted_app system_file:file rx_file_perms; |
| 47 | |
| 48 | # gdbserver reads the zygote. |
| 49 | allow untrusted_app zygote_exec:file r_file_perms; |
| 50 | |
| 51 | # (grand)child death notification. |
| 52 | allow untrusted_app shell:process sigchld; |
| 53 | |
| 54 | # child shell or gdbserver pty access. |
| 55 | allow untrusted_app devpts:chr_file { getattr read write }; |
| 56 | |
| 57 | # gdbserver creates a socket in the app data dir. |
| 58 | allow untrusted_app app_data_file:sock_file { create unlink }; |
| 59 | |
| 60 | # ndk-gdb invokes adb forward to forward the gdbserver socket. |
| 61 | allow adbd app_data_file:dir search; |
| 62 | allow adbd app_data_file:sock_file write; |
| 63 | allow adbd untrusted_app:unix_stream_socket connectto; |
| 64 | |
| 65 | # ndk-gdb invokes adb pull of app_process, linker, and libc.so. |
| 66 | allow adbd zygote_exec:file r_file_perms; |
| 67 | allow adbd system_file:file r_file_perms; |
| 68 | |
| 69 | } |