Skip to content
Snippets Groups Projects
Commit b299e593 authored by Nick Kralevich's avatar Nick Kralevich Committed by Android (Google) Code Review
Browse files

Merge "system_server: replace sys_resource with sys_ptrace"

parents fcec2a8f 44866954
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
private/system_server.te
+ 9
4
View file @ b299e593
...@@ -68,16 +68,13 @@ allow system_server self:capability { ...@@ -68,16 +68,13 @@ allow system_server self:capability {
net_raw net_raw
sys_boot sys_boot
sys_nice sys_nice
sys_resource sys_ptrace
sys_time sys_time
sys_tty_config sys_tty_config
}; };
wakelock_use(system_server) wakelock_use(system_server)
# Triggered by /proc/pid accesses, not allowed.
dontaudit system_server self:capability sys_ptrace;
# Trigger module auto-load. # Trigger module auto-load.
allow system_server kernel:system module_request; allow system_server kernel:system module_request;
...@@ -697,3 +694,11 @@ neverallow system_server system_server_tmpfs:file execute; ...@@ -697,3 +694,11 @@ neverallow system_server system_server_tmpfs:file execute;
# dexoptanalyzer is currently used only for secondary dex files which # dexoptanalyzer is currently used only for secondary dex files which
# system_server should never access. # system_server should never access.
neverallow system_server dexoptanalyzer_exec:file no_x_file_perms; neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
# No ptracing others
neverallow system_server { domain -system_server }:process ptrace;
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
# This neverallow can be removed after b/34951864 is fixed.
neverallow system_server system_server:capability sys_resource;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment