commit 9ba277df832afedca146b256d17d91e15baa7152
author Ashwini Oruganti <ashfall@google.com> Wed Dec 11 16:53:45 2019 -0800
committer Ashwini Oruganti <ashfall@google.com> Wed Dec 11 17:09:05 2019 -0800
tree 7dfaab3d0e0d04c8d3dfcbca276611cd08245de9
parent 84307d501fe1cb7a2a139bb043cde92634246a4c

Allow gmscore to ptrace itself

This is needed to debug native crashes within the gmscore app.

Now that GMS core is running in gmscore_app and not in the priv_app
domain, we need this rule for the new domain. This also adds an
auditallow to the same rule for priv_app, so we can delete it once no
logs show up in go/sedenials for this rule triggerring.

Bug: 142672293
Test: TH
Change-Id: I7d28bb5df1a876d0092758aff321e62fa2979694

private/gmscore_app.te

diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index b2e5d16..ec98717 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -67,6 +67,9 @@
 # Access the network
 net_domain(gmscore_app)
 
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow gmscore_app self:process ptrace;
+
 # Allow loading executable code from writable priv-app home
 # directories. This is a W^X violation, however, it needs
 # to be supported for now for the following reasons.

private/priv_app.te

diff --git a/private/priv_app.te b/private/priv_app.te
index c776907..a414079 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -16,6 +16,10 @@
 
 # webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
 allow priv_app self:process ptrace;
+# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
+userdebug_or_eng(`
+  auditallow priv_app self:process ptrace;
+')
 
 # Allow loading executable code from writable priv-app home
 # directories. This is a W^X violation, however, it needs