From 3b7d9e49df9d4b4803b0b727cf980ae5f7926a20 Mon Sep 17 00:00:00 2001
From: Yabin Cui <yabinc@google.com>
Date: Mon, 19 Jun 2017 16:02:07 -0700
Subject: [PATCH] Avoid audit when running `adb shell -t run-as xxx`.

run-as uses file descriptor created by adbd when running
`adb shell -t run-as xxx`. It produces audit warnings like below:

[ 2036.555371] c1    509 type=1400 audit(1497910817.864:238): avc: granted { use } for pid=4945 comm="run-as" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:r:adbd:s0 tclass=fd

Bug: http://b/62358246
Test: test manually that the warning disappears.
Change-Id: I19023ac876e03ce2afe18982fe753b07e4c876bb
---
 public/domain_deprecated.te | 2 +-
 public/runas.te             | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 64ad3e64f..aaf516c5d 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -24,7 +24,7 @@ auditallow { domain_deprecated -appdomain -netd -surfaceflinger } system_server:
 # This is used for e.g. adb backup/restore.
 allow domain_deprecated adbd:fd use;
 userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+auditallow { domain_deprecated -appdomain -system_server -runas } adbd:fd use;
 ')
 
 # Root fs.
diff --git a/public/runas.te b/public/runas.te
index a61f176a9..e56a9e76b 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,6 +1,7 @@
 type runas, domain, domain_deprecated, mlstrustedsubject;
 type runas_exec, exec_type, file_type;
 
+allow runas adbd:fd use;
 allow runas adbd:process sigchld;
 allow runas adbd:unix_stream_socket { read write };
 allow runas shell:fd use;
-- 
GitLab