am dcfcdbdf: Merge "Don\'t allow ptrace on keystore"

* commit 'dcfcdbdf': Don't allow ptrace on keystore

am dcfcdbdf: Merge "Don\'t allow ptrace on keystore"
df3d1f86 · Nick Kralevich · Android Git Automerger · 7fb77b81 · dcfcdbdf · df3d1f86
Commit df3d1f86 authored 11 years ago by Nick Kralevich Committed by Android Git Automerger 11 years ago
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace;
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;

--- a/keystore.te
+++ b/keystore.te
@@ -15,7 +15,7 @@ allow keystore tee:unix_stream_socket connectto;
 ###
 ### Neverallow rules
 ###
-### Protect our files from others
+### Protect ourself from others
 ###
 neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto };
@@ -23,3 +23,5 @@ neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relab
 neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:dir *;
 neverallow { domain -keystore -init -kernel -recovery } keystore_data_file:notdevfile_class_set *;
+neverallow domain keystore:process ptrace;