Block crash_dump from no_crash_dump_domain These domains already can't transition to crash_dump, but also need to make sure crash_dump can't be run and pointed at them. Bug: 218494522 Test: Builds Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928

commit: ff648192d90726353c5a037c97a87511076726fa [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Feb 24 16:31:44 2022 +0000
committer: Alan Stokes <alanstokes@google.com> Thu Feb 24 16:36:40 2022 +0000
tree: b56fb62632891be7b09eff25c2ffee9f7e9937ed
parent: 275836a9afe3052e54ca035c49c23812ee114449 [diff]
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index a636e9c..61dfa0b 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te

@@ -57,6 +57,7 @@
   -init
   -kernel
   -logd
+  -no_crash_dump_domain
   -ueventd
   -vendor_init
 }:process { ptrace signal sigchld sigstop sigkill };
@@ -67,3 +68,5 @@
     logd
   }:process { ptrace signal sigchld sigstop sigkill };
 ')
+
+neverallow crash_dump no_crash_dump_domain:process ptrace;
commit	ff648192d90726353c5a037c97a87511076726fa	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Feb 24 16:31:44 2022 +0000
committer	Alan Stokes <alanstokes@google.com>	Thu Feb 24 16:36:40 2022 +0000
tree	b56fb62632891be7b09eff25c2ffee9f7e9937ed
parent	275836a9afe3052e54ca035c49c23812ee114449 [diff]