Protect apps from ptrace by other system components am: 84a42ead am: 315f2fb2 am: e1adac6e

am: 31d43787 Change-Id: Idb22ea343982ea6f150926cc0c6fdae41a923a32

Protect apps from ptrace by other system components am: 84a42ead am: 315f2fb2 am: e1adac6e
4e389c7f · Nick Kralevich · android-build-merger · b922decf · 31d43787 · 4e389c7f
Commit 4e389c7f authored 7 years ago by Nick Kralevich Committed by android-build-merger 7 years ago
--- a/public/app.te
+++ b/public/app.te
@@ -405,6 +405,14 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -appdomain -crash_dump } appdomain:process ptrace;
 # Read or write access to /proc/pid entries for any non-app domain.
 # A different form of hidepid=2 like protections
 neverallow appdomain { domain -appdomain }:file no_w_file_perms;

--- a/public/te_macros
+++ b/public/te_macros
@@ -178,6 +178,12 @@ tmpfs_domain($1)
 allow $1 $1_tmpfs:file execute;
 neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
 neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+# The Android security model guarantees the confidentiality and integrity
+# of application data and execution state. Ptrace bypasses those
+# confidentiality guarantees. Disallow ptrace access from system components
+# to apps. Crash_dump is excluded, as it needs ptrace access to
+# produce stack traces.
+neverallow { domain -$1 -crash_dump } $1:process ptrace;
 ')
 #####################################