Merge "Sepolicy: Allow crash_dump to ptrace apexd in userdebug"

2019-03-06 22:12:11 +00:00 · 2019-03-06 22:12:11 +00:00 · c67985a067
commit c67985a067
parent a5f5fc5afd efece54e06
2 changed files with 4 additions and 2 deletions
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@ -18,7 +18,7 @@ allow crash_dump {
  -vold
 }:process { ptrace signal sigchld sigstop sigkill };
 userdebug_or_eng(`
-  allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+  allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
 ')

 ###
@ -29,6 +29,8 @@ userdebug_or_eng(`
 # files, so we avoid adding redundant assertions here

 neverallow crash_dump {
+  apexd
+  userdebug_or_eng(`-apexd')
  bpfloader
  init
  kernel
--- a/public/apexd.te
+++ b/public/apexd.te
@ -9,7 +9,7 @@ set_prop(apexd, apexd_prop)
 neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
 neverallow { domain -init -apexd -system_server } apexd:binder call;

-neverallow domain apexd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;

 # only apexd can set apexd sysprop
 neverallow { domain -apexd -init } apexd_prop:property_service set;