From 30603f1ed90a82ab6f4ffc937be5429bbb2a375c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 9 Dec 2016 19:14:04 -0800
Subject: [PATCH] debuggerd.te: remove domain_deprecated

Remove domain_deprecated and add denials picked up by log collection.

Addresses the following auditallow messages:

  avc: granted { search } for comm="debuggerd" name="arm" dev="sda35"
  ino=57521 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=dir

  avc: granted { read } for comm="debuggerd"
  path="/data/app/dji.pilot-Z6Q2X6YjYNN2Ag8otZTCdg==/lib/arm/libtpnsWatchdog.so"
  dev="sda35" ino=57854 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

  avc: granted { getattr } for comm="debuggerd64"
  path="/data/app/com.google.android.youtube-2/lib/arm64/libcronet.so"
  dev="sda35" ino=1384657 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

  avc: granted { read open } for comm="debuggerd"
  path="/data/app/dji.pilot-We9wJivxEqhzfdtQrNFvaA==/lib/arm/libtpnsWatchdog.so"
  dev="sda35" ino=57575 scontext=u:r:debuggerd:s0
  tcontext=u:object_r:apk_data_file:s0 tclass=file

Bug: 28760354
Test: Device boots
Test: No unexpected denials in denial collection logs.
Change-Id: I1ae6203e37ddd4a19551d8063d26071ac20f2f3e
---
 public/debuggerd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/public/debuggerd.te b/public/debuggerd.te
index 0222e3470..5790e8338 100644
--- a/public/debuggerd.te
+++ b/public/debuggerd.te
@@ -1,5 +1,5 @@
 # debugger interface
-type debuggerd, domain, domain_deprecated;
+type debuggerd, domain;
 type debuggerd_exec, exec_type, file_type;
 
 typeattribute debuggerd mlstrustedsubject;
@@ -30,6 +30,8 @@ allow debuggerd shared_relro_file:dir r_dir_perms;
 allow debuggerd shared_relro_file:file r_file_perms;
 allow debuggerd domain:process { sigstop sigkill signal };
 allow debuggerd { exec_type libart_file }:file r_file_perms;
+allow debuggerd apk_data_file:file r_file_perms;
+allow debuggerd apk_data_file:dir search;
 # Access app library
 allow debuggerd system_data_file:file open;
 # Allow debuggerd to redirect a dump_backtrace request to itself.
-- 
GitLab