system_server: replace sys_resource with sys_ptrace

Commit https://android.googlesource.com/kernel/common/+/f0ce0eee added
CAP_SYS_RESOURCE as a capability check which would allow access to
sensitive /proc/PID files. However, in an SELinux based world, allowing
this access causes CAP_SYS_RESOURCE to duplicate what CAP_SYS_PTRACE
(without :process ptrace) already provides.

Use CAP_SYS_PTRACE instead of CAP_SYS_RESOURCE.

Test: Device boots, functionality remains identical, no sys_resource
denials from system_server.
Bug: 34951864
Bug: 38496951
Change-Id: I04d745b436ad75ee1ebecf0a61c6891858022e34
(cherry picked from commit 448669540c0b7c22ee8b8293217818f8f92238b6)
(cherry picked from commit 3d8dde0e2e7ae6d6901ec3a708c8b891eacf1631)
1 file changed
tree: 9d4616d136d69bbfa0868d5afcda44045478fbab
  1. Android.mk
  2. CleanSpec.mk
  3. MODULE_LICENSE_PUBLIC_DOMAIN
  4. NOTICE
  5. README
  6. access_vectors
  7. adbd.te
  8. app.te
  9. atrace.te
  10. attributes
  11. audioserver.te
  12. autoplay_app.te
  13. binderservicedomain.te
  14. blkid.te
  15. blkid_untrusted.te
  16. bluetooth.te
  17. bluetoothdomain.te
  18. boot_control_hal.te
  19. bootanim.te
  20. bootstat.te
  21. cameraserver.te
  22. clatd.te
  23. cppreopts.te
  24. debuggerd.te
  25. device.te
  26. dex2oat.te
  27. dhcp.te
  28. dnsmasq.te
  29. domain.te
  30. domain_deprecated.te
  31. drmserver.te
  32. dumpstate.te
  33. file.te
  34. file_contexts
  35. file_contexts_asan
  36. fingerprintd.te
  37. fs_use
  38. fsck.te
  39. fsck_untrusted.te
  40. gatekeeperd.te
  41. genfs_contexts
  42. global_macros
  43. gpsd.te
  44. hci_attach.te
  45. healthd.te
  46. hostapd.te
  47. idmap.te
  48. init.te
  49. initial_sid_contexts
  50. initial_sids
  51. inputflinger.te
  52. install_recovery.te
  53. installd.te
  54. ioctl_defines
  55. ioctl_macros
  56. isolated_app.te
  57. kernel.te
  58. keys.conf
  59. keystore.te
  60. lmkd.te
  61. logd.te
  62. mac_permissions.xml
  63. mdnsd.te
  64. mediacodec.te
  65. mediadrmserver.te
  66. mediaextractor.te
  67. mediaserver.te
  68. mls
  69. mls_macros
  70. mtp.te
  71. net.te
  72. netd.te
  73. neverallow_macros
  74. nfc.te
  75. otapreopt_chroot.te
  76. otapreopt_slot.te
  77. perfprofd.te
  78. platform_app.te
  79. policy_capabilities
  80. port_contexts
  81. postinstall.te
  82. postinstall_dexopt.te
  83. ppp.te
  84. preopt2cachename.te
  85. priv_app.te
  86. profman.te
  87. property.te
  88. property_contexts
  89. racoon.te
  90. radio.te
  91. recovery.te
  92. recovery_persist.te
  93. recovery_refresh.te
  94. rild.te
  95. roles
  96. runas.te
  97. sdcardd.te
  98. seapp_contexts
  99. security_classes
  100. service.te
  101. service_contexts
  102. servicemanager.te
  103. sgdisk.te
  104. shared_relro.te
  105. shell.te
  106. slideshow.te
  107. su.te
  108. surfaceflinger.te
  109. system_app.te
  110. system_server.te
  111. te_macros
  112. tee.te
  113. toolbox.te
  114. tools/
  115. tzdatacheck.te
  116. ueventd.te
  117. uncrypt.te
  118. untrusted_app.te
  119. update_engine.te
  120. update_engine_common.te
  121. update_verifier.te
  122. users
  123. vdc.te
  124. vold.te
  125. watchdogd.te
  126. wpa.te
  127. zygote.te