allow runas_app untrusted_app_all:unix_stream_socket connectto
system/sepolicy commit ffa2b61330c93bac780cde9eb5bc72ae60cd910b
introduced the runas_app SELinux domain, which changed how we perform
debugging and profiling of Android applications. This broke Android
Studio's profiling tool.
Android Studio's profiling tool has the run-as spawned application
connect to an app created unix domain sockets in the
abstract namespace.
Note: this differs from system/sepolicy commit
3e5668f173374a98ff13b94523960c5bf14c8b72, which allows connections in
the reverse direction (from app to runas_app). That change (b/123297648)
was made for a different part of Android Studio, Android Studio Instant
Run.
Addresses the following denial:
2019-02-08 00:59:14.563 15560-15560/? W/connector: type=1400 audit(0.0:645): avc: denied { connectto } for path=00436C69656E74 scontext=u:r:runas_app:s0:c188,c256,c512,c768 tcontext=u:r:untrusted_app_27:s0:c188,c256,c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.hellojni
(hex decode of 00436C69656E74 is "Client")
2019-01-31 17:25:16.060 19975-19975/? W/transport: type=1400 audit(0.0:8146): avc: denied { connectto } for path=00416E64726F696453747564696F5472616E73706F72744167656E743139383839 scontext=u:r:runas_app:s0:c512,c768 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=unix_stream_socket permissive=0 app=com.example.android.displayingbitmaps
(hex decode of
00416E64726F696453747564696F5472616E73706F72744167656E743139383839
is "AndroidStudioTransportAgent19889")
Bug: 120445954
Test: manual
Change-Id: I9ca1c338dcbc75cb3fbd7bf93a348f9276363dc1
diff --git a/private/runas_app.te b/private/runas_app.te
index 525aea1..e6fd953 100644
--- a/private/runas_app.te
+++ b/private/runas_app.te
@@ -15,3 +15,4 @@
# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
allow runas_app untrusted_app_all:process { ptrace signal sigstop };
+allow runas_app untrusted_app_all:unix_stream_socket connectto;