1*e4a36f41SAndroid Build Coastguard Workertypeattribute runas_app coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerapp_domain(runas_app) 4*e4a36f41SAndroid Build Coastguard Workeruntrusted_app_domain(runas_app) 5*e4a36f41SAndroid Build Coastguard Workernet_domain(runas_app) 6*e4a36f41SAndroid Build Coastguard Workerbluetooth_domain(runas_app) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# The ability to call exec() on files in the apps home directories 9*e4a36f41SAndroid Build Coastguard Worker# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf, 10*e4a36f41SAndroid Build Coastguard Worker# which are copied to the apps home directories. 11*e4a36f41SAndroid Build Coastguard Workerallow runas_app app_data_file:file execute_no_trans; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes. 14*e4a36f41SAndroid Build Coastguard Workerr_dir_file(runas_app, untrusted_app_all) 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes. 17*e4a36f41SAndroid Build Coastguard Workerallow runas_app untrusted_app_all:process { ptrace sigkill signal sigstop }; 18*e4a36f41SAndroid Build Coastguard Workerallow runas_app untrusted_app_all:unix_stream_socket connectto; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Allow executing system image simpleperf without a domain transition. 21*e4a36f41SAndroid Build Coastguard Workerallow runas_app simpleperf_exec:file rx_file_perms; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Suppress denial logspam when simpleperf is trying to find a matching process 24*e4a36f41SAndroid Build Coastguard Worker# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within 25*e4a36f41SAndroid Build Coastguard Worker# the same domain as their respective process, most of which this domain is not 26*e4a36f41SAndroid Build Coastguard Worker# allowed to see. 27*e4a36f41SAndroid Build Coastguard Workerdontaudit runas_app domain:dir search; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker# Allow runas_app to call perf_event_open for profiling debuggable app 30*e4a36f41SAndroid Build Coastguard Worker# processes, but not the whole system. 31*e4a36f41SAndroid Build Coastguard Workerallow runas_app self:perf_event { open read write kernel }; 32*e4a36f41SAndroid Build Coastguard Workerneverallow runas_app self:perf_event ~{ open read write kernel }; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Suppress bionic loader denial /data/local/tests directories. 35*e4a36f41SAndroid Build Coastguard Workerdontaudit runas_app shell_test_data_file:dir search; 36