From 2b93db7795b31ed090af49f8aaa2fccfc9a400ec Mon Sep 17 00:00:00 2001
From: Josh Gao <jmgao@google.com>
Date: Tue, 17 Nov 2015 16:21:38 -0800
Subject: [PATCH] debuggerd.te: allow debuggerd to drop root.

Bug: http://b/25195825
Change-Id: I70257d5e40332f315020547baaa77a92fdfc58b0
---
 debuggerd.te | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/debuggerd.te b/debuggerd.te
index 0e3cf6805..196a8fd86 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -4,17 +4,14 @@ type debuggerd_exec, exec_type, file_type;
 
 init_daemon_domain(debuggerd)
 typeattribute debuggerd mlstrustedsubject;
-allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
+allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
 allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
 allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
 security_access_policy(debuggerd)
-allow debuggerd system_data_file:dir create_dir_perms;
-allow debuggerd system_data_file:dir relabelfrom;
-allow debuggerd tombstone_data_file:dir relabelto;
-allow debuggerd tombstone_data_file:dir create_dir_perms;
+allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
 allow debuggerd shared_relro_file:file r_file_perms;
-- 
GitLab