debuggerd.te: remove domain_deprecated
Remove domain_deprecated and add denials picked up by log collection.
Addresses the following auditallow messages:
avc: granted { search } for comm="debuggerd" name="arm" dev="sda35"
ino=57521 scontext=u:r:debuggerd:s0
tcontext=u:object_r:apk_data_file:s0 tclass=dir
avc: granted { read } for comm="debuggerd"
path="/data/app/dji.pilot-Z6Q2X6YjYNN2Ag8otZTCdg==/lib/arm/libtpnsWatchdog.so"
dev="sda35" ino=57854 scontext=u:r:debuggerd:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file
avc: granted { getattr } for comm="debuggerd64"
path="/data/app/com.google.android.youtube-2/lib/arm64/libcronet.so"
dev="sda35" ino=1384657 scontext=u:r:debuggerd:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file
avc: granted { read open } for comm="debuggerd"
path="/data/app/dji.pilot-We9wJivxEqhzfdtQrNFvaA==/lib/arm/libtpnsWatchdog.so"
dev="sda35" ino=57575 scontext=u:r:debuggerd:s0
tcontext=u:object_r:apk_data_file:s0 tclass=file
Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I1ae6203e37ddd4a19551d8063d26071ac20f2f3e
diff --git a/public/debuggerd.te b/public/debuggerd.te
index 0222e34..5790e83 100644
--- a/public/debuggerd.te
+++ b/public/debuggerd.te
@@ -1,5 +1,5 @@
# debugger interface
-type debuggerd, domain, domain_deprecated;
+type debuggerd, domain;
type debuggerd_exec, exec_type, file_type;
typeattribute debuggerd mlstrustedsubject;
@@ -30,6 +30,8 @@
allow debuggerd shared_relro_file:file r_file_perms;
allow debuggerd domain:process { sigstop sigkill signal };
allow debuggerd { exec_type libart_file }:file r_file_perms;
+allow debuggerd apk_data_file:file r_file_perms;
+allow debuggerd apk_data_file:dir search;
# Access app library
allow debuggerd system_data_file:file open;
# Allow debuggerd to redirect a dump_backtrace request to itself.