From 50d506212ee33c19c9258a3cb5fc94d396a58f0b Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 10 Apr 2015 11:07:57 -0700
Subject: [PATCH] Revert "Exclude isolated_app from ptrace self."

Google Breakpad (crash reporter for Chrome) relies on ptrace
functionality. Without the ability to ptrace, the crash reporter
tool is broken.

Addresses the following denial:

  type=1400 audit(1428619926.939:1181): avc: denied { ptrace } for pid=10077 comm="CrRendererMain" scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:r:isolated_app:s0:c512,c768 tclass=process permissive=0

This reverts commit e9623d8fe698c4600660ec4a7598f0d6cf083e3a.

Bug: 20150694
Bug: https://code.google.com/p/chromium/issues/detail?id=475270
Change-Id: I1727c6a93f10ea6db877687a8f81ec789f9e501f
---
 app.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.te b/app.te
index ba39ff4ff..5e6988846 100644
--- a/app.te
+++ b/app.te
@@ -19,7 +19,7 @@ allow appdomain zygote:fd use;
 allow appdomain zygote_exec:file rx_file_perms;
 
 # gdbserver for ndk-gdb ptrace attaches to app process.
-allow { appdomain -isolated_app } self:process ptrace;
+allow appdomain self:process ptrace;
 
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
-- 
GitLab