Add runas_app domain to allow running app data file via run-as. Calling execve() on files in an app's home directory isn't allowed for targetApi >=29. But this is needed by simpleperf to profile a debuggable app via run-as. So workaround it by adding runas_app domain, which allows running app data file. And add a rule in seapp_contexts to use runas_app domain for setcontext requests from run-as. Bug: 118737210 Test: boot marlin and run CtsSimpleperfTestCases. Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5

commit: ffa2b61330c93bac780cde9eb5bc72ae60cd910b [log] [tgz]
author: Yabin Cui <yabinc@google.com> Fri Nov 02 14:34:06 2018 -0700
committer: Yabin Cui <yabinc@google.com> Wed Nov 07 18:11:40 2018 +0000
tree: fd23a50420bad96a74676e1351d182d00197325e
parent: 5dc2c8c7402e75749025b72d150a6e3c34041de5 [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index b8889f7..ab080c2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -48,6 +48,7 @@
   all_untrusted_apps
   -untrusted_app_25
   -untrusted_app_27
+  -runas_app
 } { app_data_file privapp_data_file }:file execute_no_trans;
 
 # Do not allow untrusted apps to be assigned mlstrustedsubject.
commit	ffa2b61330c93bac780cde9eb5bc72ae60cd910b	[log] [tgz]
author	Yabin Cui <yabinc@google.com>	Fri Nov 02 14:34:06 2018 -0700
committer	Yabin Cui <yabinc@google.com>	Wed Nov 07 18:11:40 2018 +0000
tree	fd23a50420bad96a74676e1351d182d00197325e
parent	5dc2c8c7402e75749025b72d150a6e3c34041de5 [diff] [blame]