Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 95e0842e341352af16bed4055ccf67878c322985^! / .
commit95e0842e341352af16bed4055ccf67878c322985[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Mon Dec 09 12:49:47 2013 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Mon Dec 09 12:59:17 2013 -0500
tree0c8f542f56aeeff8f7c4d6d4fd915b5777f64cd8
parent82fc3b524164588388aa3595bd2158020d93d28a [diff]
Restrict ptrace access by debuggerd and unconfineddomain.

Remove init, ueventd, watchdogd, healthd and adbd from the set of
domains traceable by debuggerd.  bionic/linker/debugger.cpp sets up
handlers for all dynamically linked programs in Android but this
should not apply for statically linked programs.

Exclude ptrace access from unconfineddomain.

Prohibit ptrace access to init via neverallow.

Change-Id: I70d742233fbe40cb4d1772a4e6cd9f8f767f2c3a
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/debuggerd.te b/debuggerd.te
index 66eac1c..0443aef 100644
--- a/debuggerd.te
+++ b/debuggerd.te

@@ -8,7 +8,7 @@
 allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;

diff --git a/domain.te b/domain.te
index 2b7c0a6..701297f 100644
--- a/domain.te
+++ b/domain.te

@@ -156,3 +156,6 @@
 # security-sensitive proc settings.
 neverallow { domain -init } usermodehelper:file { append write };
 neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;

diff --git a/unconfined.te b/unconfined.te
index d6c8598..daa6849 100644
--- a/unconfined.te
+++ b/unconfined.te

@@ -20,7 +20,7 @@
 allow unconfineddomain kernel:security ~{ load_policy setenforce };
 allow unconfineddomain kernel:system *;
 allow unconfineddomain self:memprotect *;
-allow unconfineddomain domain:process *;
+allow unconfineddomain domain:process ~ptrace;
 allow unconfineddomain domain:fd *;
 allow unconfineddomain domain:dir r_dir_perms;
 allow unconfineddomain domain:lnk_file r_file_perms;