From 6bae84a53579a4c81a393e12a5e0b48558ffe11e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 18 Feb 2017 08:22:54 -0800
Subject: [PATCH] dumpstate: assert no process ptrace

dumpstate has CAP_SYS_PTRACE solely for the purpose of reading sensitive
/proc/PID files, not for using ptrace attach. Add an assert to ensure
that's the case.

Test: policy compiles.
Change-Id: I975308fae3f8e9a039b9efdc0e9605192b405ce7
---
 public/dumpstate.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/public/dumpstate.te b/public/dumpstate.te
index 2ba0e5873..ac81ccc30 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -195,6 +195,10 @@ add_service(dumpstate, dumpstate_service)
 ### neverallow rules
 ###
 
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
 # only system_server, dumpstate and shell can find the dumpstate service
 neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
 
-- 
GitLab