Merge "Rules for new installd Binder interface."

commit: fed665edcab272c8b6741fc3114da85754f13223 [log] [tgz]
author: Jeff Sharkey <jsharkey@android.com> Tue Dec 06 00:14:53 2016 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Dec 06 00:14:54 2016 +0000
tree: 4be8826e377cc04e7cb853e29baa3d33cfff40a3
parent: cb5f4a3dd8acd5c58bb2f0e65c6b4c256a1ec614 [diff]
parent: e160d14ed1440e9dabb909b09e147103ddaf3a02 [diff]
diff --git a/public/debuggerd.te b/public/debuggerd.te
index 33f8878..0222e34 100644
--- a/public/debuggerd.te
+++ b/public/debuggerd.te

@@ -15,9 +15,15 @@
   -healthd
   -init
   -keystore
+  -logd
   -ueventd
   -watchdogd
 }:process { execmem ptrace getattr };
+
+userdebug_or_eng(`
+  allow debuggerd logd:process { execmem ptrace getattr };
+')
+
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;

diff --git a/public/logd.te b/public/logd.te
index 3e6f7b6..a35be5c 100644
--- a/public/logd.te
+++ b/public/logd.te

@@ -48,6 +48,9 @@
 # ptrace any other app
 neverallow logd domain:process ptrace;
 
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;
+
 # Write to /system.
 neverallow logd system_file:dir_file_class_set write;
commit	fed665edcab272c8b6741fc3114da85754f13223	[log] [tgz]
author	Jeff Sharkey <jsharkey@android.com>	Tue Dec 06 00:14:53 2016 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Dec 06 00:14:54 2016 +0000
tree	4be8826e377cc04e7cb853e29baa3d33cfff40a3
parent	cb5f4a3dd8acd5c58bb2f0e65c6b4c256a1ec614 [diff]
parent	e160d14ed1440e9dabb909b09e147103ddaf3a02 [diff]