profman/debuggerd: allow libart_file:file r_file_perms am: 364fd19782 am: d62abbeea3

am: ff6715f3d2 Change-Id: Ibf6da5e4bf8dedb5797958d5c00ac675303d47f0
2016-11-08 20:19:40 +00:00 · 2016-11-08 20:19:40 +00:00 · c9d0e1e9b9
commit c9d0e1e9b9
parent 1bda71f5e3 ff6715f3d2
3 changed files with 9 additions and 1 deletions
--- a/public/debuggerd.te
+++ b/public/debuggerd.te
@ -23,7 +23,7 @@ allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
 allow debuggerd shared_relro_file:file r_file_perms;
 allow debuggerd domain:process { sigstop sigkill signal };
-allow debuggerd exec_type:file r_file_perms;
+allow debuggerd { exec_type libart_file }:file r_file_perms;
 # Access app library
 allow debuggerd system_data_file:file open;
 # Allow debuggerd to redirect a dump_backtrace request to itself.
--- a/public/domain.te
+++ b/public/domain.te
@ -107,8 +107,10 @@ allow domain libart_file:file { execute read open getattr };
 auditallow {
  domain
  -appdomain
+  -debuggerd
  -dex2oat
  -dumpstate
+  -profman
  -recovery
  -zygote
 } libart_file:file { execute read open getattr };
--- a/public/profman.te
+++ b/public/profman.te
@ -2,6 +2,8 @@
 type profman, domain;
 type profman_exec, exec_type, file_type;

+allow profman libart_file:file r_file_perms;
+
 allow profman user_profile_data_file:file { getattr read write lock };

 # Dumping profile info opens the application APK file for pretty printing.
@ -14,4 +16,8 @@ allow profman profman_dump_data_file:file { write };

 allow profman installd:fd use;

+###
+### neverallow rules
+###
+
 neverallow profman app_data_file:notdevfile_class_set open;