Sepolicy: Allow crash_dump to ptrace apexd in userdebug
In userdebug, for better diagnostics, allow crash_dump to "connect to" apexd. Considering apexd is quite powerful, user devices remain restricted. Bug: 118771487 Test: m Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
This commit is contained in:
parent
3fbd303d1c
commit
efece54e06
@ -18,7 +18,7 @@ allow crash_dump {
|
|||||||
-vold
|
-vold
|
||||||
}:process { ptrace signal sigchld sigstop sigkill };
|
}:process { ptrace signal sigchld sigstop sigkill };
|
||||||
userdebug_or_eng(`
|
userdebug_or_eng(`
|
||||||
allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
|
allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
|
||||||
')
|
')
|
||||||
|
|
||||||
###
|
###
|
||||||
@ -29,6 +29,8 @@ userdebug_or_eng(`
|
|||||||
# files, so we avoid adding redundant assertions here
|
# files, so we avoid adding redundant assertions here
|
||||||
|
|
||||||
neverallow crash_dump {
|
neverallow crash_dump {
|
||||||
|
apexd
|
||||||
|
userdebug_or_eng(`-apexd')
|
||||||
bpfloader
|
bpfloader
|
||||||
init
|
init
|
||||||
kernel
|
kernel
|
||||||
|
@ -9,7 +9,7 @@ set_prop(apexd, apexd_prop)
|
|||||||
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
|
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
|
||||||
neverallow { domain -init -apexd -system_server } apexd:binder call;
|
neverallow { domain -init -apexd -system_server } apexd:binder call;
|
||||||
|
|
||||||
neverallow domain apexd:process ptrace;
|
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
|
||||||
|
|
||||||
# only apexd can set apexd sysprop
|
# only apexd can set apexd sysprop
|
||||||
neverallow { domain -apexd -init } apexd_prop:property_service set;
|
neverallow { domain -apexd -init } apexd_prop:property_service set;
|
||||||
|
Loading…
Reference in New Issue
Block a user