From cb5f4a3dd8acd5c58bb2f0e65c6b4c256a1ec614 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 5 Dec 2016 14:01:28 -0800
Subject: [PATCH] Prevent ptrace of logd on user builds

system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later
amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd
doesn't want it's memory accessible by anyone else. Unfortunately,
setting DUMPABLE isn't sufficient against a root level process such with
ptrace. Only one such process exists, "debuggerd".

Block debuggerd from accessing logd's memory on user builds. Userdebug
and eng builds are unaffected.  Add a neverallow rule (compile time
assertion + CTS test) to prevent regressions.

Bug: 32450474
Test: Policy compiles.
Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38
---
 public/debuggerd.te | 6 ++++++
 public/logd.te      | 3 +++
 2 files changed, 9 insertions(+)

diff --git a/public/debuggerd.te b/public/debuggerd.te
index 33f88784f..0222e3470 100644
--- a/public/debuggerd.te
+++ b/public/debuggerd.te
@@ -15,9 +15,15 @@ allow debuggerd {
   -healthd
   -init
   -keystore
+  -logd
   -ueventd
   -watchdogd
 }:process { execmem ptrace getattr };
+
+userdebug_or_eng(`
+  allow debuggerd logd:process { execmem ptrace getattr };
+')
+
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
diff --git a/public/logd.te b/public/logd.te
index 3e6f7b691..a35be5ccd 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -48,6 +48,9 @@ neverallow logd dev_type:blk_file { read write };
 # ptrace any other app
 neverallow logd domain:process ptrace;
 
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;
+
 # Write to /system.
 neverallow logd system_file:dir_file_class_set write;
 
-- 
GitLab