From 74ba8c86137d85285a09780999b79034c7e935b1 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 5 Apr 2013 14:22:27 -0400
Subject: [PATCH] run-as policy fixes.

- Remove dac_read_search as it is no longer required by run-as.
- Introduce a separate type for /dev/tty so that we can allow use of own tty for
for a run-as shell without allowing access to other /dev/tty[0-9]* nodes.
- Allow sigchld notifications for death of run-as and its descendants by adbd.
- Drop redundant rules for executing shell or system commands from untrusted_app;
now covered by rules in app.te.

Change-Id: Ic3bf7bee9eeabf9ad4a20f61fbb142a64bb37c6c
---
 device.te     |  1 +
 domain.te     |  1 +
 file_contexts |  1 +
 runas.te      | 11 ++++-------
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/device.te b/device.te
index f351c4496..d55258ad8 100644
--- a/device.te
+++ b/device.te
@@ -33,6 +33,7 @@ type random_device, dev_type;
 type sensors_device, dev_type;
 type serial_device, dev_type;
 type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
 type tty_device, dev_type;
 type urandom_device, dev_type;
 type video_device, dev_type;
diff --git a/domain.te b/domain.te
index 42645cfd3..a4a06d554 100644
--- a/domain.te
+++ b/domain.te
@@ -44,6 +44,7 @@ allow domain dev_type:lnk_file read;
 allow domain devpts:dir search;
 allow domain device:file read;
 allow domain socket_device:dir search;
+allow domain owntty_device:chr_file rw_file_perms;
 allow domain null_device:chr_file rw_file_perms;
 allow domain zero_device:chr_file r_file_perms;
 allow domain ashmem_device:chr_file rw_file_perms;
diff --git a/file_contexts b/file_contexts
index 1e34bd94e..ccbb99ad0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -101,6 +101,7 @@
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tegra.*		u:object_r:video_device:s0
 /dev/tf_driver		u:object_r:tee_device:s0
+/dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
 /dev/tun		u:object_r:tun_device:s0
diff --git a/runas.te b/runas.te
index 0a207e6e1..60b086d49 100644
--- a/runas.te
+++ b/runas.te
@@ -19,15 +19,15 @@ dontaudit shell self:capability { sys_ptrace kill };
 
 # ndk-gdb invokes adb shell run-as.
 domain_auto_trans(shell, runas_exec, runas)
+allow runas adbd:process sigchld;
 allow runas shell:fd  use;
-allow runas devpts:chr_file { read write };
+allow runas devpts:chr_file { read write ioctl };
 
 # run-as reads package information.
 allow runas system_data_file:file r_file_perms;
 
 # run-as checks and changes to the app data dir.
 dontaudit runas self:capability dac_override;
-allow runas self:capability dac_read_search;
 allow runas app_data_file:dir { getattr search };
 
 # run-as switches to the app UID/GID.
@@ -41,18 +41,15 @@ allow runas untrusted_app:process dyntransition; # setcon
 # run-as runs lib/gdbserver from the app data dir.
 allow untrusted_app system_data_file:file rx_file_perms;
 
-# run-as may also run sh or system commands.
-allow untrusted_app shell_exec:file rx_file_perms;
-allow untrusted_app system_file:file rx_file_perms;
-
 # gdbserver reads the zygote.
 allow untrusted_app zygote_exec:file r_file_perms;
 
 # (grand)child death notification.
 allow untrusted_app shell:process sigchld;
+allow untrusted_app adbd:process sigchld;
 
 # child shell or gdbserver pty access.
-allow untrusted_app devpts:chr_file { getattr read write };
+allow untrusted_app devpts:chr_file { getattr read write ioctl };
 
 # gdbserver creates a socket in the app data dir.
 allow untrusted_app app_data_file:sock_file { create unlink };
-- 
GitLab