runas_app: allow sigkill of untrusted_app It is safe to grant this permission because: * UID restrictions will prevent killing arbitrary apps. * Runas enforces restrictions preventing transitioning to UIDs of apps that are not debuggable. Addresses: avc: denied { sigkill } for scontext=u:r:runas_app:s0:c87,c257,c512,c768 tcontext=u:r:untrusted_app:s0:c87,c257,c512,c768 tclass=process permissive=0 app=com.example.myapplication Bug: 263379256 Test: Build and deploy any Android app in debug mode adb shell run-as com.example.myapplication kill -SIGKILL <pid> Change-Id: I1e4588a9a1c7ee71e0396fbd1ea5e1b24720bd62

commit: 5a6c0a755d6d5d7bc66d581d03552ac119362775 [log] [tgz]
author: Jeff Vander Stoep <jeffv@google.com> Fri Jan 20 09:02:19 2023 +0100
committer: Jeff Vander Stoep <jeffv@google.com> Fri Jan 20 09:02:19 2023 +0100
tree: 2dfe8a378c3c54b69c93fdcadaca04967b62669e
parent: 9bbc1c0e7266cbb753e97838baf89d3ebee1062b [diff]
diff --git a/private/runas_app.te b/private/runas_app.te
index c1b354a..a5f47f4 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te

@@ -14,7 +14,7 @@
 r_dir_file(runas_app, untrusted_app_all)
 
 # Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop };
 allow runas_app untrusted_app_all:unix_stream_socket connectto;
 
 # Allow executing system image simpleperf without a domain transition.
commit	5a6c0a755d6d5d7bc66d581d03552ac119362775	[log] [tgz]
author	Jeff Vander Stoep <jeffv@google.com>	Fri Jan 20 09:02:19 2023 +0100
committer	Jeff Vander Stoep <jeffv@google.com>	Fri Jan 20 09:02:19 2023 +0100
tree	2dfe8a378c3c54b69c93fdcadaca04967b62669e
parent	9bbc1c0e7266cbb753e97838baf89d3ebee1062b [diff]