Merge "Add new "procrank" SELinux domain."

581f25b0 · Nick Kralevich · Gerrit Code Review · 1d45b9c2 · a1913988 · 581f25b0
Commit 581f25b0 authored 10 years ago by Nick Kralevich Committed by Gerrit Code Review 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -177,7 +177,14 @@ neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 # Limit ability to ptrace or read sensitive /proc/pid files of processes
 # with other UIDs to these whitelisted domains.
-neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
+neverallow {
+  domain
+  -debuggerd
+  -vold
+  -dumpstate
+  -system_server
+  userdebug_or_eng(`-procrank')
+} self:capability sys_ptrace;
 # Limit device node creation to these whitelisted domains.
 neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -slideshow } self:capability mknod;

--- a/file_contexts
+++ b/file_contexts
@@ -156,6 +156,7 @@
 /system/bin/tf_daemon	u:object_r:tee_exec:s0
 /system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
+/system/xbin/procrank   u:object_r:procrank_exec:s0
 /system/vendor/bin/gpsd u:object_r:gpsd_exec:s0
 /system/bin/dnsmasq     u:object_r:dnsmasq_exec:s0
 /system/bin/hostapd     u:object_r:hostapd_exec:s0

--- a/procrank.te
+++ b/procrank.te
+# File types must be defined for file_contexts.
+type procrank_exec, exec_type, file_type;
+userdebug_or_eng(`
+  type procrank, domain, mlstrustedsubject;
+  domain_auto_trans(shell, procrank_exec, procrank)
+  allow procrank self:capability sys_ptrace;
+  allow procrank devpts:chr_file { read write getattr ioctl };
+  r_dir_file(procrank, domain)
+  allow procrank shell:fd use;
+  allow procrank adbd:process sigchld;
+')