From 258cb17abc5bea49a4e56a3a56a9a7b0db60cbfd Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 29 Oct 2013 14:42:35 -0400
Subject: [PATCH] Confine debuggerd, but leave it permissive for now.

Change-Id: I09932cdd59f9d3a38e69df9fcfc34cc9cec1d8cd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 debuggerd.te | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/debuggerd.te b/debuggerd.te
index cdf00de28..5a2e5ff1d 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -1,11 +1,26 @@
 # debugger interface
 type debuggerd, domain;
+permissive debuggerd;
 type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
-unconfined_domain(debuggerd)
+typeattribute debuggerd mlstrustedsubject;
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability2 { syslog };
+allow debuggerd domain:dir r_dir_perms;
+allow debuggerd domain:file r_file_perms;
+allow debuggerd domain:process ptrace;
+security_access_policy(debuggerd)
+allow debuggerd system_data_file:dir create_dir_perms;
+allow debuggerd system_data_file:dir relabelfrom;
 relabelto_domain(debuggerd)
 allow debuggerd tombstone_data_file:dir relabelto;
+allow debuggerd tombstone_data_file:dir create_dir_perms;
+allow debuggerd tombstone_data_file:file create_file_perms;
+allow debuggerd domain:process { sigstop signal };
+allow debuggerd exec_type:file r_file_perms;
+# Access app library
+allow debuggerd system_data_file:file open;
 
 # Connect to system_server via /data/system/ndebugsocket.
 unix_socket_connect(debuggerd, system_ndebug, system_server)
-- 
GitLab