Restrict ptrace access by debuggerd and unconfineddomain.

Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

debuggerd.te

@@ -8,7 +8,7 @@ allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
 allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;

domain.te

@@ -156,3 +156,6 @@ neverallow domain kmem_device:chr_file ~{ create relabelto unlink setattr };
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;

unconfined.te

@@ -20,7 +20,7 @@ allow unconfineddomain self:capability_class_set *;
 allow unconfineddomain kernel:security ~{ load_policy setenforce };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
-allow unconfineddomain domain:process *;
+allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;