Add runas_app domain to allow running app data file via run-as.
Calling execve() on files in an app's home directory isn't allowed
for targetApi >=29. But this is needed by simpleperf to profile
a debuggable app via run-as.
So workaround it by adding runas_app domain, which allows running
app data file. And add a rule in seapp_contexts to use runas_app
domain for setcontext requests from run-as.
Bug: 118737210
Test: boot marlin and run CtsSimpleperfTestCases.
Change-Id: I5c3b54c95337d6d8192861757b858708174ebfd5
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 821ef0c..55391ea 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -9,6 +9,7 @@
# path (string)
# isPrivApp (boolean)
# minTargetSdkVersion (unsigned integer)
+# fromRunAs (boolean)
# isSystemServer=true can only be used once.
# An unspecified isSystemServer defaults to false.
# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
@@ -25,6 +26,7 @@
# minTargetSdkVersion will match applications with a targetSdkVersion
# greater than or equal to the specified value. If unspecified,
# it has a default value of 0.
+# fromRunAs=true means the setcontext request is from run-as. Default is false.
# All specified input selectors in an entry must match (i.e. logical AND).
# Matching is case-insensitive.
#
@@ -43,6 +45,7 @@
# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+# (13) fromRunAs=true before fromRunAs=false.
#
# Outputs:
# domain (string)
@@ -118,3 +121,4 @@
user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
+user=_app fromRunAs=true domain=runas_app levelFrom=all