Merge cherrypicks of [4667264, 4667744, 4667382, 4666687, 4667506, 4667745, 4667225, 4667226, 4667227, 4667228, 4668483, 4668486, 4668487, 4668489, 4666733, 4668492, 4668493, 4668495, 4667548, 4667482, 4667549, 4667550, 4667551, 4667552, 4667553, 4667554, 4667555, 4667556, 4666734, 4666688, 4668511, 4668531, 4667265] into pi-release
Change-Id: I8c3ca924de694cd4646a47fa8235ceb2b03331d1
diff --git a/prebuilts/api/28.0/private/crash_dump.te b/prebuilts/api/28.0/private/crash_dump.te
index fb73f08..c3d2ed5 100644
--- a/prebuilts/api/28.0/private/crash_dump.te
+++ b/prebuilts/api/28.0/private/crash_dump.te
@@ -1 +1,14 @@
typeattribute crash_dump coredomain;
+
+allow crash_dump {
+ domain
+ -bpfloader
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/prebuilts/api/28.0/public/crash_dump.te b/prebuilts/api/28.0/public/crash_dump.te
index f778d28..cd1e5a8 100644
--- a/prebuilts/api/28.0/public/crash_dump.te
+++ b/prebuilts/api/28.0/public/crash_dump.te
@@ -1,14 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, exec_type, file_type;
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fb73f08..c3d2ed5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1 +1,14 @@
typeattribute crash_dump coredomain;
+
+allow crash_dump {
+ domain
+ -bpfloader
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index f778d28..cd1e5a8 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -1,14 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, exec_type, file_type;
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };