tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/debuggerd.te
Janis Danisevskis 071b935d0b Allow debuggerd execmem on debuggable domains 
In anticipation of fixing a loophole in the Linux kernel that allows
circumventing the execmem permission by using the ptrace interface,
this patch grants execmem permission on debuggable domains to
debuggerd. This will be required for setting software break points
once the kernel has been fixed.

Bug: 31000401
Change-Id: I9b8d5853b643d24b94d36e2adbcb135dbaef8b1e
2016-09-15 15:11:31 +01:00

64 lines
1.8 KiB
Text
Raw Blame History

# debugger interface
type debuggerd, domain, domain_deprecated;
type debuggerd_exec, exec_type, file_type;
init_daemon_domain(debuggerd)
typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
allow debuggerd {
domain
-adbd
-debuggerd
-healthd
-init
-keystore
-ueventd
-watchdogd
}:process { execmem ptrace getattr };
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
allow debuggerd shared_relro_file:file r_file_perms;
allow debuggerd domain:process { sigstop sigkill signal };
allow debuggerd exec_type:file r_file_perms;
# Access app library
allow debuggerd system_data_file:file open;
# Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
allow debuggerd {
audioserver
bluetooth
cameraserver
drmserver
inputflinger
mediacodec
mediadrmserver
mediaextractor
mediaserver
sdcardd
surfaceflinger
}:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
userdebug_or_eng(`
allow debuggerd input_device:dir r_dir_perms;
allow debuggerd input_device:chr_file rw_file_perms;
')
# logd access
read_logd(debuggerd)
# Check SELinux permissions.
selinux_check_access(debuggerd)
# Read /data/dalvik-cache.
allow debuggerd dalvikcache_data_file:dir { search getattr };
allow debuggerd dalvikcache_data_file:file r_file_perms;
Reference in a new issue View git blame Copy permalink