platform_system_sepolicy/debuggerd.te

40 lines
1.6 KiB
Text
Raw Normal View History

2012-01-04 18:33:27 +01:00
# debugger interface
type debuggerd, domain, domain_deprecated;
2012-01-04 18:33:27 +01:00
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
security_access_policy(debuggerd)
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
allow debuggerd shared_relro_file:file r_file_perms;
allow debuggerd domain:process { sigstop signal };
allow debuggerd exec_type:file r_file_perms;
# Access app library
allow debuggerd system_data_file:file open;
# Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
allow debuggerd { audioserver drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
debuggerd: Allow "debug.db.uid" usage Allow the use of debug.db.uid on userdebug / eng builds. Setting this property allows debuggerd to suspend a process if it detects a crash. Make debug.db.uid only accessible to the su domain. This should not be used on a user build. Only support reading user input on userdebug / eng builds. Steps to reproduce with the "crasher" program: adb root adb shell setprop debug.db.uid 20000 mmm system/core/debuggerd adb sync adb shell crasher Addresses the following denials: <5>[ 580.637442] type=1400 audit(1392412124.612:149): avc: denied { read } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir <5>[ 580.637589] type=1400 audit(1392412124.612:150): avc: denied { open } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir <5>[ 580.637706] type=1400 audit(1392412124.612:151): avc: denied { read write } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file <5>[ 580.637823] type=1400 audit(1392412124.612:152): avc: denied { open } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file <5>[ 580.637958] type=1400 audit(1392412124.612:153): avc: denied { ioctl } for pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file Bug: 12532622 Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1
2014-02-06 01:36:25 +01:00
userdebug_or_eng(`
allow debuggerd input_device:dir r_dir_perms;
allow debuggerd input_device:chr_file rw_file_perms;
')
# logd access
read_logd(debuggerd)
# Check SELinux permissions.
selinux_check_access(debuggerd)