am de11f501: Remove ptrace from app.te

* commit 'de11f501': Remove ptrace from app.te

am de11f501: Remove ptrace from app.te
f57e2fd7 · Nick Kralevich · Android Git Automerger · 8fc8d1f0 · de11f501 · f57e2fd7
Commit f57e2fd7 authored 9 years ago by Nick Kralevich Committed by Android Git Automerger 9 years ago
--- a/app.te
+++ b/app.te
@@ -19,9 +19,6 @@ allow appdomain zygote:fd use;
 # valgrind needs mmap exec for zygote
 allow appdomain zygote_exec:file rx_file_perms;
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow appdomain self:process ptrace;
 # Read system properties managed by zygote.
 allow appdomain zygote_tmpfs:file read;

--- a/isolated_app.te
+++ b/isolated_app.te
@@ -21,6 +21,13 @@ allow isolated_app display_service:service_manager find;
 # only allow unprivileged socket ioctl commands
 allow isolated_app self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls;
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
 #####
 ##### Neverallow
 #####

--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -113,6 +113,9 @@ userdebug_or_eng(`
  allow untrusted_app perfprofd_data_file:dir r_dir_perms;
 ')
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app self:process ptrace;
 # Programs routinely attempt to scan through /system, looking
 # for files. Suppress the denials when they occur.
 dontaudit untrusted_app exec_type:file getattr;