From b51c4dd39a6f6ab82e093173120771d4b0ba2490 Mon Sep 17 00:00:00 2001 From: Christopher Ferris Date: Sun, 18 Jan 2015 17:39:53 -0800 Subject: [PATCH] Allow debuggerd to redirect requests. On 64 bit systems, all requests will first go to the 64 bit debuggerd which will redirect to the 32 bit debuggerd if necessary. This avoids any permissions problems where a java process needs to be able to read the elf data for executables. Instead the permissions are granted to debuggerd instead. Also remove the permissions to read the /system/bin executables from dumpstate since they aren't necessary any more. Bug: https://code.google.com/p/android/issues/detail?id=97024 Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808 --- debuggerd.te | 4 ++++ dumpstate.te | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/debuggerd.te b/debuggerd.te index b94607485..4f84813be 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -22,6 +22,10 @@ allow debuggerd domain:process { sigstop signal }; allow debuggerd exec_type:file r_file_perms; # Access app library allow debuggerd system_data_file:file open; +# Allow debuggerd to redirect a dump_backtrace request to itself. +# This only happens on 64 bit systems, where all requests go to the 64 bit +# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit. +allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; # Connect to system_server via /data/system/ndebugsocket. unix_socket_connect(debuggerd, system_ndebug, system_server) diff --git a/dumpstate.te b/dumpstate.te index 2324c25d9..ad4f23808 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -104,9 +104,6 @@ allow dumpstate net_data_file:file r_file_perms; allow dumpstate tombstone_data_file:dir r_dir_perms; allow dumpstate tombstone_data_file:file r_file_perms; -# Access /system/bin executables to determine type of executable. -allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms; - allow dumpstate { drmserver_service healthd_service