diff options
author | Nick Kralevich <nnk@google.com> | 2013-12-10 00:00:04 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2013-12-10 00:00:04 +0000 |
commit | 0bc17371f731e6ca10d3e9c1092d6f33806332a1 (patch) | |
tree | b09e79ffd9d6f89d7add64acbcb65f9f0d3633be | |
parent | e6a7b37d4c8e16dd92b2fa340a6798cb4dbe80ad (diff) | |
parent | 48759ca2054fa742724cd81debed51208b69e758 (diff) | |
download | sepolicy-idea133.tar.gz |
Merge "Support run-as and ndk-gdb functionality."idea133
-rw-r--r-- | adbd.te | 9 | ||||
-rw-r--r-- | app.te | 15 | ||||
-rw-r--r-- | runas.te | 23 | ||||
-rw-r--r-- | shell.te | 9 | ||||
-rw-r--r-- | shell_user.te | 6 |
5 files changed, 59 insertions, 3 deletions
@@ -13,3 +13,12 @@ allow adbd adb_keys_file:file r_file_perms; # Allow access in case /data/misc/adb still has the old type. allow adbd system_data_file:dir search; allow adbd system_data_file:file r_file_perms; + +# ndk-gdb invokes adb forward to forward the gdbserver socket. +allow adbd app_data_file:dir search; +allow adbd app_data_file:sock_file write; +allow adbd appdomain:unix_stream_socket connectto; + +# ndk-gdb invokes adb pull of app_process, linker, and libc.so. +allow adbd zygote_exec:file r_file_perms; +allow adbd system_file:file r_file_perms; @@ -13,12 +13,25 @@ unix_socket_connect(appdomain, keystore, keystore) # Receive and use open file descriptors inherited from zygote. allow appdomain zygote:fd use; +# gdbserver for ndk-gdb reads the zygote. +allow appdomain zygote_exec:file r_file_perms; + +# gdbserver for ndk-gdb ptrace attaches to app process. +allow appdomain self:process ptrace; + # Read system properties managed by zygote. allow appdomain zygote_tmpfs:file read; # Notify zygote of death; allow appdomain zygote:process sigchld; +# Notify shell and adbd of death when spawned via runas for ndk-gdb. +allow appdomain shell:process sigchld; +allow appdomain adbd:process sigchld; + +# child shell or gdbserver pty access for runas. +allow appdomain devpts:chr_file { getattr read write ioctl }; + # Communicate with system_server. allow appdomain system_server:fifo_file rw_file_perms; allow appdomain system_server:unix_stream_socket { read write setopt }; @@ -41,7 +54,7 @@ allow appdomain platform_app_data_file:file { getattr read write }; # lib subdirectory of /data/data dir is system-owned. allow appdomain system_data_file:dir r_dir_perms; -allow appdomain system_data_file:file { execute open }; +allow appdomain system_data_file:file { execute execute_no_trans open }; # Execute the shell or other system executables. allow appdomain shell_exec:file rx_file_perms; @@ -1,6 +1,25 @@ -type runas, domain; +type runas, domain, mlstrustedsubject; +permissive runas; type runas_exec, exec_type, file_type; -unconfined_domain(runas) # ndk-gdb invokes adb shell run-as. domain_auto_trans(shell, runas_exec, runas) +allow runas adbd:process sigchld; +allow runas shell:fd use; +allow runas devpts:chr_file { read write ioctl }; + +# run-as reads package information. +allow runas system_data_file:file r_file_perms; + +# run-as checks and changes to the app data dir. +dontaudit runas self:capability dac_override; +allow runas app_data_file:dir { getattr search }; + +# run-as switches to the app UID/GID. +allow runas self:capability { setuid setgid }; + +# run-as switches to the app security context. +# read /seapp_contexts and /data/security/seapp_contexts +security_access_policy(runas) +selinux_check_context(runas) # validate context +allow runas non_system_app_set:process dyntransition; # setcon @@ -9,3 +9,12 @@ app_domain(shell) # shell is also permissive to permit setenforce. permissive shell; + +# ndk-gdb invokes adb shell ps to find the app PID. +r_dir_file(shell, non_system_app_set) + +# ndk-gdb invokes adb shell ls to check the app data dir. +allow shell app_data_file:dir search; + +# ndk-gdb invokes adb shell kill -9 to kill the gdbserver. +allow shell non_system_app_set:process sigkill; diff --git a/shell_user.te b/shell_user.te index 8b51003..1eccbd6 100644 --- a/shell_user.te +++ b/shell_user.te @@ -6,3 +6,9 @@ unconfined_domain(shell) # Run app_process. # XXX Split into its own domain? app_domain(shell) + +# ndk-gdb invokes adb shell ps to find the app PID. +r_dir_file(shell, non_system_app_set) + +# ndk-gdb invokes adb shell ls to check the app data dir. +allow shell app_data_file:dir search; |