Sepolicy: Allow crash_dump to ptrace apexd in userdebug
In userdebug, for better diagnostics, allow crash_dump to "connect
to" apexd.
Considering apexd is quite powerful, user devices remain restricted.
Bug: 118771487
Test: m
Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fd2e4b6..4c0aa18 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -18,7 +18,7 @@
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
- allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -29,6 +29,8 @@
# files, so we avoid adding redundant assertions here
neverallow crash_dump {
+ apexd
+ userdebug_or_eng(`-apexd')
bpfloader
init
kernel
diff --git a/public/apexd.te b/public/apexd.te
index f990879..3957ed6 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -9,7 +9,7 @@
neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
neverallow { domain -init -apexd -system_server } apexd:binder call;
-neverallow domain apexd:process ptrace;
+neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
# only apexd can set apexd sysprop
neverallow { domain -apexd -init } apexd_prop:property_service set;