From 071b935d0bbbff90fb3f85c4e91793379d2ec37d Mon Sep 17 00:00:00 2001
From: Janis Danisevskis <jdanis@google.com>
Date: Wed, 14 Sep 2016 10:00:13 +0100
Subject: [PATCH] Allow debuggerd execmem on debuggable domains

In anticipation of fixing a loophole in the Linux kernel that allows
circumventing the execmem permission by using the ptrace interface,
this patch grants execmem permission on debuggable domains to
debuggerd. This will be required for setting software break points
once the kernel has been fixed.

Bug: 31000401
Change-Id: I9b8d5853b643d24b94d36e2adbcb135dbaef8b1e
---
 debuggerd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debuggerd.te b/debuggerd.te
index 1e84e8d31..80d3f5c6c 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -18,7 +18,7 @@ allow debuggerd {
   -keystore
   -ueventd
   -watchdogd
-}:process { ptrace getattr };
+}:process { execmem ptrace getattr };
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
-- 
GitLab