From ba992496f01e40a10d9749bb25b6498138e607fb Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 24 Jul 2014 15:25:43 -0400
Subject: [PATCH] Define debuggerd class, permissions, and rules.

Define a new class, permissions, and rules for the debuggerd
SELinux MAC checks.

Used by Ib317564e54e07cc21f259e75124b762ad17c6e16 for debuggerd.

Change-Id: I8e120d319512ff207ed22ed87cde4e0432a13dda
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 access_vectors   | 6 ++++++
 debuggerd.te     | 5 ++++-
 security_classes | 3 +++
 system_server.te | 3 +++
 4 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/access_vectors b/access_vectors
index 5e7834140..1b26bce96 100644
--- a/access_vectors
+++ b/access_vectors
@@ -915,3 +915,9 @@ class keystore_key
 	duplicate
 	clear_uid
 }
+
+class debuggerd
+{
+	dump_tombstone
+	dump_backtrace
+}
diff --git a/debuggerd.te b/debuggerd.te
index 6bbeac4a6..22afe63ac 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -9,7 +9,7 @@ allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
-allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
 security_access_policy(debuggerd)
 allow debuggerd system_data_file:dir create_dir_perms;
 allow debuggerd system_data_file:dir relabelfrom;
@@ -31,3 +31,6 @@ userdebug_or_eng(`
 
 # logd access
 read_logd(debuggerd)
+
+# Check SELinux permissions.
+selinux_check_access(debuggerd)
diff --git a/security_classes b/security_classes
index fcee928e7..ca8f4689b 100644
--- a/security_classes
+++ b/security_classes
@@ -143,4 +143,7 @@ class service_manager           # userspace
 # Keystore Key
 class keystore_key              # userspace
 
+# debuggerd service
+class debuggerd                 # userspace
+
 # FLASK
diff --git a/system_server.te b/system_server.te
index 9d973dbbc..9d3dfa143 100644
--- a/system_server.te
+++ b/system_server.te
@@ -127,6 +127,9 @@ binder_call(system_server, appdomain)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
 
+# Ask debuggerd to dump backtraces for native stacks of interest.
+allow system_server { mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
+
 # Read /proc/pid files for dumping stack traces of native processes.
 r_dir_file(system_server, mediaserver)
 r_dir_file(system_server, sdcardd)
-- 
GitLab