Allow debuggerd to redirect requests.
On 64 bit systems, all requests will first go to the 64 bit debuggerd which will redirect to the 32 bit debuggerd if necessary. This avoids any permissions problems where a java process needs to be able to read the elf data for executables. Instead the permissions are granted to debuggerd instead. Also remove the permissions to read the /system/bin executables from dumpstate since they aren't necessary any more. Bug: https://code.google.com/p/android/issues/detail?id=97024 Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
This commit is contained in:
parent
33bf053826
commit
b51c4dd39a
2 changed files with 4 additions and 3 deletions
|
@ -22,6 +22,10 @@ allow debuggerd domain:process { sigstop signal };
|
||||||
allow debuggerd exec_type:file r_file_perms;
|
allow debuggerd exec_type:file r_file_perms;
|
||||||
# Access app library
|
# Access app library
|
||||||
allow debuggerd system_data_file:file open;
|
allow debuggerd system_data_file:file open;
|
||||||
|
# Allow debuggerd to redirect a dump_backtrace request to itself.
|
||||||
|
# This only happens on 64 bit systems, where all requests go to the 64 bit
|
||||||
|
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
|
||||||
|
allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
|
||||||
|
|
||||||
# Connect to system_server via /data/system/ndebugsocket.
|
# Connect to system_server via /data/system/ndebugsocket.
|
||||||
unix_socket_connect(debuggerd, system_ndebug, system_server)
|
unix_socket_connect(debuggerd, system_ndebug, system_server)
|
||||||
|
|
|
@ -104,9 +104,6 @@ allow dumpstate net_data_file:file r_file_perms;
|
||||||
allow dumpstate tombstone_data_file:dir r_dir_perms;
|
allow dumpstate tombstone_data_file:dir r_dir_perms;
|
||||||
allow dumpstate tombstone_data_file:file r_file_perms;
|
allow dumpstate tombstone_data_file:file r_file_perms;
|
||||||
|
|
||||||
# Access /system/bin executables to determine type of executable.
|
|
||||||
allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
|
|
||||||
|
|
||||||
allow dumpstate {
|
allow dumpstate {
|
||||||
drmserver_service
|
drmserver_service
|
||||||
healthd_service
|
healthd_service
|
||||||
|
|
Loading…
Reference in a new issue