From 116a20fdb6d9033e82e0c2fd421e054cfbc8c3b3 Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Wed, 5 Feb 2014 16:36:25 -0800 Subject: debuggerd: Allow "debug.db.uid" usage Allow the use of debug.db.uid on userdebug / eng builds. Setting this property allows debuggerd to suspend a process if it detects a crash. Make debug.db.uid only accessible to the su domain. This should not be used on a user build. Only support reading user input on userdebug / eng builds. Steps to reproduce with the "crasher" program: adb root adb shell setprop debug.db.uid 20000 mmm system/core/debuggerd adb sync adb shell crasher Addresses the following denials: <5>[ 580.637442] type=1400 audit(1392412124.612:149): avc: denied { read } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir <5>[ 580.637589] type=1400 audit(1392412124.612:150): avc: denied { open } for pid=182 comm="debuggerd" name="input" dev="tmpfs" ino=5665 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=dir <5>[ 580.637706] type=1400 audit(1392412124.612:151): avc: denied { read write } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file <5>[ 580.637823] type=1400 audit(1392412124.612:152): avc: denied { open } for pid=182 comm="debuggerd" name="event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file <5>[ 580.637958] type=1400 audit(1392412124.612:153): avc: denied { ioctl } for pid=182 comm="debuggerd" path="/dev/input/event5" dev="tmpfs" ino=6723 scontext=u:r:debuggerd:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file Bug: 12532622 Change-Id: I63486edb73efb1ca12e9eb1994ac9e389251a3f1 --- su.te | 1 + 1 file changed, 1 insertion(+) (limited to 'su.te') diff --git a/su.te b/su.te index 7b6899a..1317fb2 100644 --- a/su.te +++ b/su.te @@ -16,6 +16,7 @@ userdebug_or_eng(` allow su self:process execmem; tmpfs_domain(su) allow su su_tmpfs:file execute; + allow su debuggerd_prop:property_service set; # su is also permissive to permit setenforce. permissive su; -- cgit v1.2.3