Merge "Add domain level neverallow to restrict access to ptrace" am: 1b4e9393d3 am: 41d6edd0e7

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2505897

Change-Id: I9a4cfaafff462a2fe8a0b77e6cfed13e147f68e7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Nikita Ioffe 2023-03-29 12:35:52 +00:00 committed by Automerger Merge Worker
commit e63a597a47
2 changed files with 4 additions and 0 deletions

View file

@ -63,4 +63,5 @@ userdebug_or_eng(`
}:process { ptrace signal sigchld sigstop sigkill };
')
neverallow crash_dump self:process ptrace;
neverallow crash_dump no_crash_dump_domain:process ptrace;

View file

@ -538,3 +538,6 @@ neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
# Ensure that no one can execute from encrypted storage, which is a writable partition in VM.
neverallow domain encryptedstore_file:file no_x_file_perms;
# Only crash_dump is allowed to access ptrace
neverallow { domain -crash_dump } domain:process ptrace;