From de11f5017c53aabba212425406962d21148fd2f6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 13 Oct 2015 16:20:05 -0700
Subject: [PATCH] Remove ptrace from app.te

Remove ptrace from app.te, and only add it to the app domains
which explicitly require it.

Change-Id: I327aabd154ae07ce90e3529dee2b324ca125dd16
---
 app.te           | 3 ---
 isolated_app.te  | 7 +++++++
 untrusted_app.te | 3 +++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/app.te b/app.te
index 37ab9a305..c670c9dd8 100644
--- a/app.te
+++ b/app.te
@@ -19,9 +19,6 @@ allow appdomain zygote:fd use;
 # valgrind needs mmap exec for zygote
 allow appdomain zygote_exec:file rx_file_perms;
 
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow appdomain self:process ptrace;
-
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;
 
diff --git a/isolated_app.te b/isolated_app.te
index 330f0af38..463f02d07 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,6 +21,13 @@ allow isolated_app display_service:service_manager find;
 # only allow unprivileged socket ioctl commands
 allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
 
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
 #####
 ##### Neverallow
 #####
diff --git a/untrusted_app.te b/untrusted_app.te
index eb3005a99..bbdfdaf77 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -110,6 +110,9 @@ userdebug_or_eng(`
   allow untrusted_app perfprofd_data_file:dir r_dir_perms;
 ')
 
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app self:process ptrace;
+
 # Programs routinely attempt to scan through /system, looking
 # for files. Suppress the denials when they occur.
 dontaudit untrusted_app exec_type:file getattr;
-- 
GitLab