Merge "Support run-as and ndk-gdb functionality."

adbd.te

@@ -13,3 +13,12 @@ allow adbd adb_keys_file:file r_file_perms;
 # Allow access in case /data/misc/adb still has the old type.
 allow adbd system_data_file:dir search;
 allow adbd system_data_file:file r_file_perms;
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;

app.te

@@ -13,12 +13,25 @@ unix_socket_connect(appdomain, keystore, keystore)
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 
+# gdbserver for ndk-gdb reads the zygote.
+allow appdomain zygote_exec:file r_file_perms;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow appdomain self:process ptrace;
+
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
 
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
 # Communicate with system_server.
 allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt };
@@ -41,7 +54,7 @@ allow appdomain platform_app_data_file:file { getattr read write };
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute open };
+allow appdomain system_data_file:file { execute execute_no_trans open };
 
 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;

runas.te

-type runas, domain;
+type runas, domain, mlstrustedsubject;
+permissive runas;
 type runas_exec, exec_type, file_type;
-unconfined_domain(runas)
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
+allow runas adbd:process sigchld;
+allow runas shell:fd  use;
+allow runas devpts:chr_file { read write ioctl };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
+selinux_check_context(runas) # validate context
+allow runas non_system_app_set:process dyntransition; # setcon

shell.te

@@ -9,3 +9,12 @@ app_domain(shell)
 
 # shell is also permissive to permit setenforce.
 permissive shell;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
+
+# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
+allow shell non_system_app_set:process sigkill;

shell_user.te

@@ -6,3 +6,9 @@ unconfined_domain(shell)
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;