system_server: replace sys_resource with sys_ptrace

Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added CAP_SYS_RESOURCE as a capability check which would allow access to sensitive /proc/PID files. However, in an SELinux based world, allowing this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE (without :process ptrace) already provides. Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE. Test: Device boots, functionality remains identical, no sys_resource denials from system_server. Bug: 34951864 Bug: 38496951 Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34 (cherry picked from commit 44866954)

system_server: replace sys_resource with sys_ptrace
3d8dde0e · Nick Kralevich · JP Sugarbroad · 87a56541 · 3d8dde0e
Commit 3d8dde0e authored 8 years ago by Nick Kralevich Committed by JP Sugarbroad 7 years ago
--- a/system_server.te
+++ b/system_server.te
@@ -54,16 +54,13 @@ allow system_server self:capability {
    net_raw
    sys_boot
    sys_nice
-    sys_resource
+    sys_ptrace
    sys_time
    sys_tty_config
 };
 wakelock_use(system_server)
-# Triggered by /proc/pid accesses, not allowed.
-dontaudit system_server self:capability sys_ptrace;
 # Trigger module auto-load.
 allow system_server kernel:system module_request;