| Stephen Smalley | 48759ca | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 1 | type runas, domain, mlstrustedsubject; |
| Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 2 | type runas_exec, exec_type, file_type; |
| Stephen Smalley | e884872 | 2012-11-13 13:00:05 -0500 | [diff] [blame] | 3 | |
| 4 | # ndk-gdb invokes adb shell run-as. |
| 5 | domain_auto_trans(shell, runas_exec, runas) |
| Stephen Smalley | 48759ca | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 6 | allow runas adbd:process sigchld; |
| 7 | allow runas shell:fd use; |
| 8 | allow runas devpts:chr_file { read write ioctl }; |
| 9 | |
| 10 | # run-as reads package information. |
| 11 | allow runas system_data_file:file r_file_perms; |
| 12 | |
| 13 | # run-as checks and changes to the app data dir. |
| 14 | dontaudit runas self:capability dac_override; |
| 15 | allow runas app_data_file:dir { getattr search }; |
| 16 | |
| 17 | # run-as switches to the app UID/GID. |
| 18 | allow runas self:capability { setuid setgid }; |
| 19 | |
| 20 | # run-as switches to the app security context. |
| 21 | # read /seapp_contexts and /data/security/seapp_contexts |
| 22 | security_access_policy(runas) |
| 23 | selinux_check_context(runas) # validate context |
| 24 | allow runas non_system_app_set:process dyntransition; # setcon |