From 2d6fa723867f4610503b9a4a65fca4e59b474914 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 27 Apr 2016 12:32:36 -0700
Subject: [PATCH] don't allow debuggerd to ptrace itself.

It doesn't make any sense for debuggerd to ever attempt to ptrace
itself. A debuggerd crash can't be debugged via debuggerd.

Bug: 28399663
Change-Id: I710d474e89d121385ef423b7bed9673a90e0759b
---
 debuggerd.te | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/debuggerd.te b/debuggerd.te
index 0b45fa964..9212d0eaf 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,16 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
+allow debuggerd {
+  domain
+  -adbd
+  -debuggerd
+  -healthd
+  -init
+  -keystore
+  -ueventd
+  -watchdogd
+}:process { ptrace getattr };
 security_access_policy(debuggerd)
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
-- 
GitLab