commit 879909f4d6e803f74cb2c24ba24183ef05574aa7
author Paul Lawrence <paullawrence@google.com> Fri Jan 24 12:56:34 2025 -0800
committer Paul Lawrence <paullawrence@google.com> Mon Jan 27 12:39:07 2025 -0800
tree 4834e84ecff857a17a2f52a79a2c8c8fb1f2bc80
parent 1d45424c6a75cf46caaa8cc281ffbf2207d960bb

Policy for overlay_remounter

Test: Manual
Bug: 388912628
Change-Id: I9f27647f0e8d3ece229e7a46d50d54aa1f76fd76

private/crash_dump.te

diff --git a/private/crash_dump.te b/private/crash_dump.te
index a9a802c..4bd1d38 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -118,7 +118,10 @@
 
 # A domain transition must occur for crash_dump to get the privileges needed to trace the process.
 # Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
+neverallow {
+  domain
+  userdebug_or_eng(`-overlay_remounter')
+} crash_dump_exec:file execute_no_trans;
 
 # sigchld not explicitly forbidden since it's part of the
 # domain-transition-on-exec macros, and is by itself not sensitive