From 48759ca2054fa742724cd81debed51208b69e758 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:39 -0400
Subject: [PATCH] Support run-as and ndk-gdb functionality.

Confine run-as (but leave permissive for now) and add
other allow rules required for the use of run-as and ndk-gdb
functionality.

Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 adbd.te       |  9 +++++++++
 app.te        | 15 ++++++++++++++-
 runas.te      | 23 +++++++++++++++++++++--
 shell.te      |  9 +++++++++
 shell_user.te |  6 ++++++
 5 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/adbd.te b/adbd.te
index 84d1c2bf5..6adba83f9 100644
--- a/adbd.te
+++ b/adbd.te
@@ -13,3 +13,12 @@ allow adbd adb_keys_file:file r_file_perms;
 # Allow access in case /data/misc/adb still has the old type.
 allow adbd system_data_file:dir search;
 allow adbd system_data_file:file r_file_perms;
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
diff --git a/app.te b/app.te
index cf918a17c..5cef948fe 100644
--- a/app.te
+++ b/app.te
@@ -13,12 +13,25 @@ unix_socket_connect(appdomain, keystore, keystore)
 # Receive and use open file descriptors inherited from zygote.
 allow appdomain zygote:fd use;
 
+# gdbserver for ndk-gdb reads the zygote.
+allow appdomain zygote_exec:file r_file_perms;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow appdomain self:process ptrace;
+
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
 
 # Notify zygote of death;
 allow appdomain zygote:process sigchld;
 
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
 # Communicate with system_server.
 allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt };
@@ -41,7 +54,7 @@ allow appdomain platform_app_data_file:file { getattr read write };
 
 # lib subdirectory of /data/data dir is system-owned.
 allow appdomain system_data_file:dir r_dir_perms;
-allow appdomain system_data_file:file { execute open };
+allow appdomain system_data_file:file { execute execute_no_trans open };
 
 # Execute the shell or other system executables.
 allow appdomain shell_exec:file rx_file_perms;
diff --git a/runas.te b/runas.te
index 6446a9e4b..c789b1411 100644
--- a/runas.te
+++ b/runas.te
@@ -1,6 +1,25 @@
-type runas, domain;
+type runas, domain, mlstrustedsubject;
+permissive runas;
 type runas_exec, exec_type, file_type;
-unconfined_domain(runas)
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
+allow runas adbd:process sigchld;
+allow runas shell:fd  use;
+allow runas devpts:chr_file { read write ioctl };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+# read /seapp_contexts and /data/security/seapp_contexts
+security_access_policy(runas)
+selinux_check_context(runas) # validate context
+allow runas non_system_app_set:process dyntransition; # setcon
diff --git a/shell.te b/shell.te
index 032f70ffc..17031b974 100644
--- a/shell.te
+++ b/shell.te
@@ -9,3 +9,12 @@ app_domain(shell)
 
 # shell is also permissive to permit setenforce.
 permissive shell;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
+
+# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
+allow shell non_system_app_set:process sigkill;
diff --git a/shell_user.te b/shell_user.te
index 8b51003df..1eccbd6fe 100644
--- a/shell_user.te
+++ b/shell_user.te
@@ -6,3 +6,9 @@ unconfined_domain(shell)
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
-- 
GitLab