From a191398812eb35be613541b3822a363919da8586 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 19 Mar 2015 09:35:31 -0700
Subject: [PATCH] Add new "procrank" SELinux domain.

/system/xbin/procrank is a setuid program run by adb shell on
userdebug / eng devices. Allow it to work without running adb root.

Bug: 18342188
Change-Id: I18d9f743e5588c26661eaa26e1b7e6980b15caf7
---
 domain.te     |  9 ++++++++-
 file_contexts |  1 +
 procrank.te   | 13 +++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 procrank.te

diff --git a/domain.te b/domain.te
index 733a09523..32aa9004c 100644
--- a/domain.te
+++ b/domain.te
@@ -177,7 +177,14 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
-neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+neverallow {
+  domain
+  -debuggerd
+  -vold
+  -dumpstate
+  -system_server
+  userdebug_or_eng(`-procrank')
+} self:capability sys_ptrace;
 
 # Limit device node creation to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;
diff --git a/file_contexts b/file_contexts
index ce55cc874..27d5842d8 100644
--- a/file_contexts
+++ b/file_contexts
@@ -156,6 +156,7 @@
 /system/bin/tf_daemon	u:object_r:tee_exec:s0
 /system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
+/system/xbin/procrank   u:object_r:procrank_exec:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/hostapd     u:object_r:hostapd_exec:s0
diff --git a/procrank.te b/procrank.te
new file mode 100644
index 000000000..06b33f8d8
--- /dev/null
+++ b/procrank.te
@@ -0,0 +1,13 @@
+# File types must be defined for file_contexts.
+type procrank_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+  type procrank, domain, mlstrustedsubject;
+
+  domain_auto_trans(shell, procrank_exec, procrank)
+  allow procrank self:capability sys_ptrace;
+  allow procrank devpts:chr_file { read write getattr ioctl };
+  r_dir_file(procrank, domain)
+  allow procrank shell:fd use;
+  allow procrank adbd:process sigchld;
+')
-- 
GitLab