Protect apps from ptrace by other system components am: 84a42ead am: 315f2fb2

am: e1adac6e Change-Id: I7c2bffcdb7ce588bf8adb98fc11bd493b1c38c31

Protect apps from ptrace by other system components am: 84a42ead am: 315f2fb2
am: e1adac6e Change-Id: I7c2bffcdb7ce588bf8adb98fc11bd493b1c38c31
31d43787 · Nick Kralevich · android-build-merger · 18c78fcd · e1adac6e · 31d43787
Commit 31d43787 authored 6 years ago by Nick Kralevich Committed by android-build-merger 6 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -405,6 +405,14 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
 # Read or write access to /proc/pid entries for any non-app domain.
 # A different form of hidepid=2 like protections
 neverallow appdomain { domain -appdomain }:file no_w_file_perms;

--- a/public/te_macros
+++ b/public/te_macros
@@ -178,6 +178,12 @@ tmpfs_domain($1)
 allow $1 $1_tmpfs:file execute;
 neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -$1 -crash_dump } $1:process ptrace;
 ')
 #####################################