Allow debuggerd to redirect requests.
On 64 bit systems, all requests will first go to the 64 bit debuggerd
which will redirect to the 32 bit debuggerd if necessary. This avoids
any permissions problems where a java process needs to be able to
read the elf data for executables. Instead the permissions are granted
to debuggerd instead.
Also remove the permissions to read the /system/bin executables from
dumpstate since they aren't necessary any more.
Bug: https://code.google.com/p/android/issues/detail?id=97024
Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
diff --git a/debuggerd.te b/debuggerd.te
index b946074..4f84813 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -22,6 +22,10 @@
allow debuggerd exec_type:file r_file_perms;
# Access app library
allow debuggerd system_data_file:file open;
+# Allow debuggerd to redirect a dump_backtrace request to itself.
+# This only happens on 64 bit systems, where all requests go to the 64 bit
+# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
+allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
diff --git a/dumpstate.te b/dumpstate.te
index 2324c25..ad4f238 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -104,9 +104,6 @@
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;
-# Access /system/bin executables to determine type of executable.
-allow dumpstate {drmserver_exec mediaserver_exec sdcardd_exec surfaceflinger_exec}:file r_file_perms;
-
allow dumpstate {
drmserver_service
healthd_service