diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-07-24 15:25:43 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-07-24 15:33:44 -0400 |
commit | ba992496f01e40a10d9749bb25b6498138e607fb (patch) | |
tree | b8c00dea54c60d7df0d1f0858f9fac50a4a1131f | |
parent | b2eaa28d11c6fed7806c08728ef624819171d627 (diff) | |
download | android_external_sepolicy-ba992496f01e40a10d9749bb25b6498138e607fb.tar.gz android_external_sepolicy-ba992496f01e40a10d9749bb25b6498138e607fb.tar.bz2 android_external_sepolicy-ba992496f01e40a10d9749bb25b6498138e607fb.zip |
Define debuggerd class, permissions, and rules.
Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.
Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.
Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
-rw-r--r-- | access_vectors | 6 | ||||
-rw-r--r-- | debuggerd.te | 5 | ||||
-rw-r--r-- | security_classes | 3 | ||||
-rw-r--r-- | system_server.te | 3 |
4 files changed, 16 insertions, 1 deletions
diff --git a/access_vectors b/access_vectors index 5e78341..1b26bce 100644 --- a/access_vectors +++ b/access_vectors @@ -915,3 +915,9 @@ class keystore_key duplicate clear_uid } + +class debuggerd +{ + dump_tombstone + dump_backtrace +} diff --git a/debuggerd.te b/debuggerd.te index 6bbeac4..22afe63 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog }; allow debuggerd domain:dir r_dir_perms; allow debuggerd domain:file r_file_perms; allow debuggerd domain:lnk_file read; -allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace; +allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr }; security_access_policy(debuggerd) allow debuggerd system_data_file:dir create_dir_perms; allow debuggerd system_data_file:dir relabelfrom; @@ -31,3 +31,6 @@ userdebug_or_eng(` # logd access read_logd(debuggerd) + +# Check SELinux permissions. +selinux_check_access(debuggerd) diff --git a/security_classes b/security_classes index fcee928..ca8f468 100644 --- a/security_classes +++ b/security_classes @@ -143,4 +143,7 @@ class service_manager # userspace # Keystore Key class keystore_key # userspace +# debuggerd service +class debuggerd # userspace + # FLASK diff --git a/system_server.te b/system_server.te index 9d973db..9d3dfa1 100644 --- a/system_server.te +++ b/system_server.te @@ -127,6 +127,9 @@ binder_call(system_server, appdomain) binder_call(system_server, dumpstate) binder_service(system_server) +# Ask debuggerd to dump backtraces for native stacks of interest. +allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace; + # Read /proc/pid files for dumping stack traces of native processes. r_dir_file(system_server, mediaserver) r_dir_file(system_server, sdcardd) |