Merge "Revert "Allowing userdebug/eng builds crash dump access to ks"" into main
diff --git a/private/crash_dump.te b/private/crash_dump.te
index b2d3bd5..a9a802c 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -19,13 +19,7 @@
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump {
- apexd
- keystore
- llkd
- logd
- vold
- }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
# Read ART APEX data directory
@@ -135,7 +129,6 @@
init
kernel
keystore
- userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
diff --git a/private/keystore.te b/private/keystore.te
index 3a1c242..50542b0 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -93,8 +93,7 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+neverallow * keystore:process ptrace;
# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
# system property, an exception is added for init as well.