Avoid audit when running `adb shell -t run-as xxx`.
run-as uses file descriptor created by adbd when running
`adb shell -t run-as xxx`. It produces audit warnings like below:
[ 2036.555371] c1 509 type=1400 audit(1497910817.864:238): avc: granted { use } for pid=4945 comm="run-as" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:r:adbd:s0 tclass=fd
Bug: http://b/62358246
Test: test manually that the warning disappears.
Change-Id: I19023ac876e03ce2afe18982fe753b07e4c876bb
diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index 64ad3e6..aaf516c 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -24,7 +24,7 @@
# This is used for e.g. adb backup/restore.
allow domain_deprecated adbd:fd use;
userdebug_or_eng(`
-auditallow { domain_deprecated -appdomain -system_server } adbd:fd use;
+auditallow { domain_deprecated -appdomain -system_server -runas } adbd:fd use;
')
# Root fs.
diff --git a/public/runas.te b/public/runas.te
index a61f176..e56a9e7 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -1,6 +1,7 @@
type runas, domain, domain_deprecated, mlstrustedsubject;
type runas_exec, exec_type, file_type;
+allow runas adbd:fd use;
allow runas adbd:process sigchld;
allow runas adbd:unix_stream_socket { read write };
allow runas shell:fd use;