From b9cb73ad4e779f8b5dfb1ad09541d97e777ca672 Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Mon, 3 Sep 2018 17:27:54 +0100
Subject: [PATCH] Ensure crash_dump cannot be allowed to ptrace itself.

This is not needed and could conceivably be abused.

Test: Builds.
Bug: 110107376
Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5
---
 private/crash_dump.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/private/crash_dump.te b/private/crash_dump.te
index 186977f31..a50740ef3 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -24,3 +24,5 @@ neverallow crash_dump {
   vendor_init
   vold
 }:process { ptrace signal sigstop sigkill };
+
+neverallow crash_dump self:process ptrace;
-- 
GitLab