Protect apps from ptrace by other system components

The Android security model guarantees the confidentiality and integrity
of application data and execution state. Ptrace bypasses those
confidentiality guarantees. Disallow ptrace access from system components
to apps. Crash_dump is excluded, as it needs ptrace access to
produce stack traces.

Bug: 111317528
Test: code compiles
Change-Id: I883df49d3e9bca62952c3b33d1c691786dd7df4d

public/app.te

@@ -405,6 +405,14 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
 
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+
+neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
+
 # Read or write access to /proc/pid entries for any non-app domain.
 # A different form of hidepid=2 like protections
 neverallow appdomain { domain -appdomain }:file no_w_file_perms;

public/te_macros

@@ -178,6 +178,12 @@ tmpfs_domain($1)
 allow $1 $1_tmpfs:file execute;
 neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -$1 -crash_dump } $1:process ptrace;
 ')
 
 #####################################