Stephen Smalley  committed e884872

Add policy for run-as program.

Add policy for run-as program and label it in file_contexts.
Drop MLS constraints on local socket checks other than create/relabel
as this interferes with connections with services, in particular for
adb forward.

Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114
Signed-off-by: Stephen Smalley <>

  • Participants
  • Parent commits fdaa786

Comments (0)

Files changed (5)

 type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type;
+type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;

File file_contexts

 /system/bin/ash		u:object_r:shell_exec:s0
 /system/bin/mksh	u:object_r:shell_exec:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
+/system/bin/run-as	--	u:object_r:runas_exec:s0
 /system/bin/app_process	u:object_r:zygote_exec:s0
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
 # Socket constraints
-# These permissions are between the process and its local socket,
-# not between a process/socket and its peer.
-# Equivalence is the normal situation; anything else requires trust.
-mlsconstrain socket_class_set { read write create getattr setattr relabelfrom relabelto bind connect listen accept getopt setopt shutdown }
-	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+# Create/relabel operations:  Subject must be equivalent to object unless
+# the subject is trusted.  Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+	     ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
 # Datagram send: Sender must be dominated by receiver unless one of them is
 # trusted.
+type runas, domain, mlstrustedsubject;
+type runas_exec, file_type;
+bool support_runas true;
+if (support_runas) {
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shell, untrusted_app)
+dontaudit shell domain:dir r_dir_perms;
+dontaudit shell domain:file r_file_perms;
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shell app_data_file:dir search;
+# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
+allow shell untrusted_app:process sigkill;
+dontaudit shell self:capability { sys_ptrace kill };
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
+allow runas shell:fd  use;
+allow runas devpts:chr_file { read write };
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas self:capability dac_read_search;
+allow runas app_data_file:dir { getattr search };
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+# run-as switches to the app security context.
+allow runas rootfs:file r_file_perms; # read /seapp_contexts
+selinux_check_context(runas) # validate context
+allow runas untrusted_app:process dyntransition; # setcon
+# run-as runs lib/gdbserver from the app data dir.
+allow untrusted_app system_data_file:file rx_file_perms;
+# run-as may also run sh or system commands.
+allow untrusted_app shell_exec:file rx_file_perms;
+allow untrusted_app system_file:file rx_file_perms;
+# gdbserver reads the zygote.
+allow untrusted_app zygote_exec:file r_file_perms;
+# (grand)child death notification.
+allow untrusted_app shell:process sigchld;
+# child shell or gdbserver pty access.
+allow untrusted_app devpts:chr_file { getattr read write };
+# gdbserver creates a socket in the app data dir.
+allow untrusted_app app_data_file:sock_file { create unlink };
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd untrusted_app:unix_stream_socket connectto;
+# ndk-gdb invokes adb pull of app_process, linker, and
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
-type shell, domain;
+type shell, domain, mlstrustedsubject;
 type shell_exec, file_type;
 domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;