364fd19782
Addresses the following auditallow spam: avc: granted { read open } for comm="profman" path="/system/lib/libart.so" dev="dm-0" ino=1368 scontext=u:r:profman:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { read open } for comm="debuggerd64" path="/system/lib64/libart.so" dev="dm-0" ino=1897 scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file avc: granted { getattr } for comm="debuggerd64" path="/system/lib64/libart.so" dev="dm-0" ino=1837 scontext=u:r:debuggerd:s0 tcontext=u:object_r:libart_file:s0 tclass=file Test: Policy compiles. Not a tightening of rules. Change-Id: I501b0a6a343c61b3ca6283647a18a9a15deddf2a
63 lines
1.8 KiB
Text
63 lines
1.8 KiB
Text
# debugger interface
|
|
type debuggerd, domain, domain_deprecated;
|
|
type debuggerd_exec, exec_type, file_type;
|
|
|
|
typeattribute debuggerd mlstrustedsubject;
|
|
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
|
|
allow debuggerd self:capability2 { syslog };
|
|
allow debuggerd domain:dir r_dir_perms;
|
|
allow debuggerd domain:file r_file_perms;
|
|
allow debuggerd domain:lnk_file read;
|
|
allow debuggerd {
|
|
domain
|
|
-adbd
|
|
-debuggerd
|
|
-healthd
|
|
-init
|
|
-keystore
|
|
-ueventd
|
|
-watchdogd
|
|
}:process { execmem ptrace getattr };
|
|
allow debuggerd tombstone_data_file:dir rw_dir_perms;
|
|
allow debuggerd tombstone_data_file:file create_file_perms;
|
|
allow debuggerd shared_relro_file:dir r_dir_perms;
|
|
allow debuggerd shared_relro_file:file r_file_perms;
|
|
allow debuggerd domain:process { sigstop sigkill signal };
|
|
allow debuggerd { exec_type libart_file }:file r_file_perms;
|
|
# Access app library
|
|
allow debuggerd system_data_file:file open;
|
|
# Allow debuggerd to redirect a dump_backtrace request to itself.
|
|
# This only happens on 64 bit systems, where all requests go to the 64 bit
|
|
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
|
|
|
|
allow debuggerd {
|
|
audioserver
|
|
bluetooth
|
|
cameraserver
|
|
drmserver
|
|
inputflinger
|
|
mediacodec
|
|
mediadrmserver
|
|
mediaextractor
|
|
mediaserver
|
|
sdcardd
|
|
surfaceflinger
|
|
}:debuggerd dump_backtrace;
|
|
|
|
# Connect to system_server via /data/system/ndebugsocket.
|
|
unix_socket_connect(debuggerd, system_ndebug, system_server)
|
|
|
|
userdebug_or_eng(`
|
|
allow debuggerd input_device:dir r_dir_perms;
|
|
allow debuggerd input_device:chr_file rw_file_perms;
|
|
')
|
|
|
|
# logd access
|
|
read_logd(debuggerd)
|
|
|
|
# Check SELinux permissions.
|
|
selinux_check_access(debuggerd)
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow debuggerd dalvikcache_data_file:dir { search getattr };
|
|
allow debuggerd dalvikcache_data_file:file r_file_perms;
|