Merge "Support run-as and ndk-gdb functionality."
diff --git a/debuggerd.te b/debuggerd.te
index 66eac1c..0443aef 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -8,7 +8,7 @@
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
-allow debuggerd domain:process ptrace;
+allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd }:process ptrace;
security_access_policy(debuggerd)
allow debuggerd system_data_file:dir create_dir_perms;
allow debuggerd system_data_file:dir relabelfrom;
diff --git a/domain.te b/domain.te
index 2b7c0a6..701297f 100644
--- a/domain.te
+++ b/domain.te
@@ -156,3 +156,6 @@
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init } proc_security:file { append write };
+
+# No domain should be allowed to ptrace init.
+neverallow domain init:process ptrace;
diff --git a/genfs_contexts b/genfs_contexts
index 2aed2bc..8560e38 100644
--- a/genfs_contexts
+++ b/genfs_contexts
@@ -15,6 +15,7 @@
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/unconfined.te b/unconfined.te
index d6c8598..45c8292 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -19,8 +19,7 @@
allow unconfineddomain self:capability_class_set *;
allow unconfineddomain kernel:security ~{ load_policy setenforce };
allow unconfineddomain kernel:system *;
-allow unconfineddomain self:memprotect *;
-allow unconfineddomain domain:process *;
+allow unconfineddomain domain:process ~ptrace;
allow unconfineddomain domain:fd *;
allow unconfineddomain domain:dir r_dir_perms;
allow unconfineddomain domain:lnk_file r_file_perms;
