From 95e0842e341352af16bed4055ccf67878c322985 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 9 Dec 2013 12:49:47 -0500
Subject: [PATCH] Restrict ptrace access by debuggerd and unconfineddomain.

Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 debuggerd.te  | 2 +-
 domain.te     | 3 +++
 unconfined.te | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/debuggerd.te b/debuggerd.te
index 66eac1cea..0443aef18 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -8,7 +8,7 @@ allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
 allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
diff --git a/domain.te b/domain.te
index 2b7c0a676..701297f9d 100644
--- a/domain.te
+++ b/domain.te
@@ -156,3 +156,6 @@ neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;
diff --git a/unconfined.te b/unconfined.te
index d6c8598b0..daa684982 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -20,7 +20,7 @@ allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
-allow unconfineddomain domain:process *;
+allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;
-- 
GitLab