Prevent ptrace of logd on user builds
system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later
amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd
doesn't want it's memory accessible by anyone else. Unfortunately,
setting DUMPABLE isn't sufficient against a root level process such with
ptrace. Only one such process exists, "debuggerd".
Block debuggerd from accessing logd's memory on user builds. Userdebug
and eng builds are unaffected. Add a neverallow rule (compile time
assertion + CTS test) to prevent regressions.
Bug: 32450474
Test: Policy compiles.
Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
diff --git a/public/debuggerd.te b/public/debuggerd.te
index 33f8878..0222e34 100644
--- a/public/debuggerd.te
+++ b/public/debuggerd.te
@@ -15,9 +15,15 @@
-healthd
-init
-keystore
+ -logd
-ueventd
-watchdogd
}:process { execmem ptrace getattr };
+
+userdebug_or_eng(`
+ allow debuggerd logd:process { execmem ptrace getattr };
+')
+
allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
diff --git a/public/logd.te b/public/logd.te
index 3e6f7b6..a35be5c 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -48,6 +48,9 @@
# ptrace any other app
neverallow logd domain:process ptrace;
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;
+
# Write to /system.
neverallow logd system_file:dir_file_class_set write;